How to return values from lookup which are not mat... - Splunk Community

Splunk Search

Hi
I currently have a search which returns a list of users with employee id from a user lookup

eg: user lookup has the following information
syyyyyy
sxxxxxx
szzzzzz

My initial search returns syyyyy, sxxxxx but I want the search to return szzzzzz. But my below search is not returning any results

*index=idx_xxxxx sourcetype="cisco:xxx" svc | rename user as identity
| lookup local=true wfh_names_def identity OUTPUT identity, name
| search identity NOT
[| lookup local=true wfh_names_def identity OUTPUT identity, name] *

Could anyone please help

Thanks & Regards
Kavya Dekkata

Do the lookup first, then use join to combine your search results with the base lookup values.

For example,

| inputlookup host.csv | join type=left host [metadata type=hosts]

Doing an individual "| metadata type=hosts" search would give me host "A" and "B". In my csv file, I have "A", "B", "C", "D". Doing the above query would give me everything in my lookup file.

Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community, We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...