When use outputlookup, the result is output in inc...

yutaka1005 · ‎07-12-2018

Splunk ver : 6.2.7
OS : CentOS 7

I'm trying outputlookup some lookup files from one lookup file.
Below is the source lookup file.
*In fact there are more fields and values.

master.csv

host, flag
AAA, 1
BBB, 1
CCC, 1

The following is a search statement used to split and output the lookup file.

| inputlookup master.csv | search host="AAA" | outputlookup AAA.csv

| inputlookup master.csv | search host="BBB" | outputlookup BBB.csv

| inputlookup master.csv | search host="CCC" | outputlookup CCC.csv

However when I check lookup files that made by outputlookup, the value of the field flag become null!

Does anyone face such an event?
Also, if you know the solution etc, I would be pleased if you could tell me.

HiroshiSatoh · ‎07-12-2018

フィールド名が間違っているということはないですか？
例えばflagの先頭にスペースが入っているとか

yutaka1005 · ‎07-12-2018

flagフィールドに関しては、元lookupファイルからそのままoutputしているので、特にフィールド名による影響は関連が無いかと思います。

When use outputlookup, the result is output in incomplete state.

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

When use outputlookup, the result is output in incomplete state.

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...