When use outputlookup, the result is output in inc...

yutaka1005 · ‎07-12-2018

Splunk ver : 6.2.7
OS : CentOS 7

I'm trying outputlookup some lookup files from one lookup file.
Below is the source lookup file.
*In fact there are more fields and values.

master.csv

host, flag
AAA, 1
BBB, 1
CCC, 1

The following is a search statement used to split and output the lookup file.

| inputlookup master.csv | search host="AAA" | outputlookup AAA.csv

| inputlookup master.csv | search host="BBB" | outputlookup BBB.csv

| inputlookup master.csv | search host="CCC" | outputlookup CCC.csv

However when I check lookup files that made by outputlookup, the value of the field flag become null!

Does anyone face such an event?
Also, if you know the solution etc, I would be pleased if you could tell me.

HiroshiSatoh · ‎07-12-2018

フィールド名が間違っているということはないですか？
例えばflagの先頭にスペースが入っているとか

yutaka1005 · ‎07-12-2018

flagフィールドに関しては、元lookupファイルからそのままoutputしているので、特にフィールド名による影響は関連が無いかと思います。

When use outputlookup, the result is output in incomplete state.

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

Are you a member of the Splunk Community?

When use outputlookup, the result is output in incomplete state.

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!