Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Where/Search clause does not work with lookup.

sherwin_r
Explorer
‎11-08-2023 03:30 AM

I am  having trouble comparing the columns age and expectedAge, where the column expectedAge is a result of a lookup table. I tried the comparison with "where" as well as "search" clauses. Neither of them worked. I just simply want to select the rows where age > expectedAge.

Expected behaviour :

Return rows where the above mentioned condition is met.

 

Actual behaviour :

Returns nothing.

 

| eval age=bla..bla..bla 
| lookup "expected_age_lookup" dummy_s as s OUTPUT expected_age
| fillnull value=777 expected_age
| rename expected_age as expectedAge
| search age > expectedAge
| convert ctime(dummy_Time) 
| table age,s,dummy_Time,expectedAge

 

 

If I remove the lines following (and including) the where/search clause, I see the results of the lookup. 

How can I achieve this correctly ?

Labels (1)
Labels
0 Karma
Reply

sherwin_r
Explorer
‎11-08-2023 04:14 AM

The data is complete in my case, because they are evaluated fields. One thing to note is that The column age is in a float format and expectedAge is in int format (Atleast looks like that).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2023 04:38 AM

The fact that you are using eval is expected but does not help identify where the problem is, please share your data (anonymised where appropriate).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-08-2023 03:52 AM

The where command should work assuming your data is consistent with the condition, i.e. both fields hold numerics. If it is still not working, please share your data (anonymised where appropriate).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...