Re: Lookup values not shown on result table

dunick · ‎10-05-2019

Hello all,

I am searching in Splunk for the last login date of a User and export it into a table:

... | eval date=strftime(_time,"%F")
| stats latest(date) by U
| table U, latest(date)

Now I have a lookup table (user_info.csv) containing ALL UserID from the system.
I would like to include all of them on the my search results, even those who never logged-in in the system. For example (PWMDN):

UserID  Last login
 JLSME  2019-02-21
KOEMN   2019-10-12
PWMDN   Never (or 1900-01-01)
JDEMI   2019-09-11

Do you have any Idea how to do it?
Thank you very much

cmerriman · ‎10-05-2019

i would append the lookup table with the user_info.csv

Something similar to

<base search to gather all active users with latest login date>
|rename U as UserID
|inputlookup user_info.csv append=true
|stats latest(last_login) as last_login by UserID
|fillnull last_login value="Never"

dunick · ‎10-07-2019

Thank you very much, it works!!

woodcock · ‎10-08-2019

Come back and click Accept to close the question.

Lookup values not shown on result table

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...