- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Lookup not working, it is generating a "NOT ()...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup not working, it is generating a "NOT ()" query for some reason.
lookup contains 3 columns DeviceId, host, and storeNumber
splunk events contain a Properties.DeviceName field that matches the DeviceId in the lookup.
When I attempt the following
baseSearch
Properties.DeviceName=*
| search Properties.DeviceName IN
[| lookup SPCClientMaster DeviceId AS Properties.DeviceName
]
Error in 'search' command: Unable to parse the search: Comparator 'IN' has an invalid term on the right hand side: NOT.
Why is this happening?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if this is related but if you're trying to run a subsearch your square bracket is not in the right place and you have an extra pipe. Should be like this:
baseSearch
Properties.DeviceName=*
[ search Properties.DeviceName IN
| lookup SPCClientMaster DeviceId AS Properties.DeviceName
]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't work as you get the following error
Error in 'search' command: Unable to parse the search: Comparator 'IN' is missing a term on the right hand side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure a lookup command in a subsearch makes sense, it doesn't have anything to look at. You can do one of two things here:
baseSearch
Properties.DeviceName=*
| search
[| inputlookup SPCClientMaster DeviceId
| rename DeviceId as Properties.DeviceName
]
OR
baseSearch
Properties.DeviceName=*
| lookup SPCClientMaster DeviceId AS Properties.DeviceName OUTPUT fieldThatShowsExistence
| where isnotnull(fieldThatShowsExistence)
I like the first if you just want a straight IN clause, and the second if you want to extract information from the csv. Does that make sense?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Neither of these work either. This isn't making any sense whatsoever.
There is a row in my lookup that has a value for DeviceId as "ABC"
I can write the splunk query as Properties.DeviceName=ABC, and it returns a row as expected.
When I add [| lookup SPCClientMaster DeviceId as Properties.DeviceName] I get nothing. Even though I can write the query |inputlookup SPCClientMaster .csv |search DeviceId=ABC, and it returns a row.
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
