Re: Where/Search clause does not work with lookup.

sherwin_r · ‎11-08-2023

I am having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of them worked. I just simply want to select the rows where age > expectedAge.

Expected behaviour :

Return rows where the above mentioned condition is met.

Actual behaviour :

Returns nothing.

| eval age=bla..bla..bla 
| lookup "expected_age_lookup" dummy_s as s OUTPUT expected_age
| fillnull value=777 expected_age
| rename expected_age as expectedAge
| search age > expectedAge
| convert ctime(dummy_Time) 
| table age,s,dummy_Time,expectedAge

If I remove the lines following (and including) the where/search clause, I see the results of the lookup.

How can I achieve this correctly ?

sherwin_r · ‎11-08-2023

The data is complete in my case, because they are evaluated fields. One thing to note is that The column age is in a float format and expectedAge is in int format (Atleast looks like that).

ITWhisperer · ‎11-08-2023

The fact that you are using eval is expected but does not help identify where the problem is, please share your data (anonymised where appropriate).

ITWhisperer · ‎11-08-2023

The where command should work assuming your data is consistent with the condition, i.e. both fields hold numerics. If it is still not working, please share your data (anonymised where appropriate).

Where/Search clause does not work with lookup.

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation