Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk lookup failing, even on itself

eandres
Explorer
‎02-13-2025 11:43 AM

Running a lookup where I have verified the fields exist and match and its not returning an output field. So, I verified by running the lookup by itself and it still doesn't match. I have checked permissions, ran the search from the app it belongs to. I can view the lookup with "| inputlookup <name>".

 

Example running the lookup on itself:

| inputlookup myfile
| table a, b
| lookup myfile a OUTPUT b AS c
| table a, b, c

c always shows as empty for this one lookup

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

eandres
Explorer
‎02-13-2025 12:49 PM

This is a time-based lookup, so if the _time in your event is not close enough to the time field in the lookup, it will not return a match.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

eandres
Explorer
‎02-13-2025 12:49 PM

This is a time-based lookup, so if the _time in your event is not close enough to the time field in the lookup, it will not return a match.

0 Karma
Reply
Solved! Jump to solution

eandres
Explorer
‎02-13-2025 12:07 PM

I believe this has something to do with the lookup having time_field set in the transforms.conf. e.g. "time_field = d"

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎02-13-2025 12:54 PM

Hi @eandres 

In Splunk, when defining a lookup within transforms.conf, the time_field parameter is used to specify a field in the lookup table that represents a timestamp. This allows Splunk to apply time-based filtering, ensuring that lookup results are relevant to the event’s timestamp

How to Troubleshoot and Fix

  • Verify the format of timestamps in your lookup file and ensure time_format matches.
  • Check if your events fall within the expected time range of the lookup.
  • Test the lookup manually using | inputlookup my_lookup to confirm that timestamps are stored correctly.
  • Remove time_field if time-based filtering is not required.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...