Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

No value coming from OUTPUT during a look up

sowmya120
New Member
‎06-04-2019 01:00 PM

I am trying to match a field across two inputs if the field matches then I compare the dates and table them.
When I create the match expression and output the values, they are blank.
However the date comparison following this expression is working, so it is getting the fields somehow.
Can someone help, I am very new to Splunk
Here is my query:

| inputlookup File1
| fields T1 F1 R1 C1-- (fields in File1)
| lookup File2 F2 AS F1 OUTPUT Num F2 CT2 UT2 S2 (fields in File2)
| eval results=case((T1>CT2 AND (S2!="XYX"AND S2!="ABC")), "Duplicate",(T1>CT2 AND (S2="XYX" OR S2="ABC")),"New")
|eval Ticket=if(results=New,"NEW Ticket","Duplicate")
| table Ticket R1 F1 C1 F2 Num Created S2 CT2

The results logic seems to be working, and I am getting table with Duplicate, R1, F1 C1
However I am not getting F2 Num Created S2 and CT2 , the fields from File2. When i just run the following

| inputlookup File1
| fields T1 F1 R1 C1-- (fields in File1)
| lookup File2 F2 AS F1 OUTPUT Num F2 CT2 UT2 S2 (fields in File2)

I get the fields from File1(based on second line of search) and data, but only fields from File2 but no data in them(OUTPUT result), any idea what i am doing wrong here.

0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-17-2019 03:03 PM

Hi @sowmya120 ,

Did you have a chance to check out any answers? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

sowmya120
New Member
‎06-18-2019 01:21 PM

Thank you all guys, sorry I was on vacation. No it did not help. I modified the data to make the search easier.
Now I am able to write the search query.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎06-05-2019 02:53 AM

Hi,

Can you please try below query ?

| inputlookup File1
| fields T1 F1 R1 C1
| lookup File2 F2 AS F1 OUTPUT Num AS Num, F2 AS F2, CT2 AS CT2, UT2 AS UT2, S2 AS S2
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...