Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where/Search clause does not work with lookup.

sherwin_r
Explorer
‎11-08-2023 03:30 AM

I am  having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of them worked. I just simply want to select the rows where age > expectedAge.

Expected behaviour :

Return rows where the above mentioned condition is met.

 

Actual behaviour :

Returns nothing.

 

| eval age=bla..bla..bla 
| lookup "expected_age_lookup" dummy_s as s OUTPUT expected_age
| fillnull value=777 expected_age
| rename expected_age as expectedAge
| search age > expectedAge
| convert ctime(dummy_Time) 
| table age,s,dummy_Time,expectedAge

 

 

If I remove the lines following (and including) the where/search clause, I see the results of the lookup. 

How can I achieve this correctly ?

Labels (1)
Labels
0 Karma
Reply

sherwin_r
Explorer
‎11-08-2023 04:14 AM

The data is complete in my case, because they are evaluated fields. One thing to note is that The column age is in a float format and expectedAge is in int format (Atleast looks like that).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2023 04:38 AM

The fact that you are using eval is expected but does not help identify where the problem is, please share your data (anonymised where appropriate).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2023 03:52 AM

The where command should work assuming your data is consistent with the condition, i.e. both fields hold numerics. If it is still not working, please share your data (anonymised where appropriate).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...