Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

No value coming from OUTPUT during a look up

sowmya120
New Member
‎06-04-2019 01:00 PM

I am trying to match a field across two inputs if the field matches then I compare the dates and table them.
When I create the match expression and output the values, they are blank.
However the date comparison following this expression is working, so it is getting the fields somehow.
Can someone help, I am very new to Splunk
Here is my query:

| inputlookup File1
| fields T1 F1 R1 C1-- (fields in File1)
| lookup File2 F2 AS F1 OUTPUT Num F2 CT2 UT2 S2 (fields in File2)
| eval results=case((T1>CT2 AND (S2!="XYX"AND S2!="ABC")), "Duplicate",(T1>CT2 AND (S2="XYX" OR S2="ABC")),"New")
|eval Ticket=if(results=New,"NEW Ticket","Duplicate")
| table Ticket R1 F1 C1 F2 Num Created S2 CT2

The results logic seems to be working, and I am getting table with Duplicate, R1, F1 C1
However I am not getting F2 Num Created S2 and CT2 , the fields from File2. When i just run the following

| inputlookup File1
| fields T1 F1 R1 C1-- (fields in File1)
| lookup File2 F2 AS F1 OUTPUT Num F2 CT2 UT2 S2 (fields in File2)

I get the fields from File1(based on second line of search) and data, but only fields from File2 but no data in them(OUTPUT result), any idea what i am doing wrong here.

0 Karma
Reply

evania
Splunk Employee
Splunk Employee
‎06-17-2019 03:03 PM

Hi @sowmya120 ,

Did you have a chance to check out any answers? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help you.

Thanks for posting!

0 Karma
Reply

sowmya120
New Member
‎06-18-2019 01:21 PM

Thank you all guys, sorry I was on vacation. No it did not help. I modified the data to make the search easier.
Now I am able to write the search query.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎06-05-2019 02:53 AM

Hi,

Can you please try below query ?

| inputlookup File1
| fields T1 F1 R1 C1
| lookup File2 F2 AS F1 OUTPUT Num AS Num, F2 AS F2, CT2 AS CT2, UT2 AS UT2, S2 AS S2
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...