Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do search lookup returns no results found?

johnansett
Communicator
‎07-19-2022 09:11 AM

Hello!

We are enriching some data and want to be able to then search the results matched from the lookup table.  It works and we can search one of the lookup tables, but the other doesn't return any results, although they are there.... Here is the base search:

 

 

index="allhosts" ip=* 
| stats count by hostname, ip, domain 
| eval hostname=upper(hostname)
| rex field=hostname "^(?P<hostcode>..)" 
| lookup hostcode.csv hostcode AS hostcode 
| lookup applications.csv ipaddress AS ip
| lookup vlan.csv Subnet AS ip

 

 

 

 

 

This works great, I can see a table with all hosts, their first two letters (naming convention) and then matched with their application and vlan... 

hostname ip domain Application  hostcode VLAN
ABCD 10.1.1.1 Domain1 Application1 AB VLAN1
CDEF 10.1.1.2 Domain 1 Application2 CD VLAN2


When I add 
| search VLAN=VLAN1, it shows only the first row.... same when I add VLAN2

BUT
When if I add
| search Application=Application1, no results.  If I add | search Application=*, no results....

Any ideas why this particular field will not return results?!

Thanks!

Labels (1)
Labels
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-19-2022 03:41 PM

There is an odd character in your field 'Application". If I copy/paste your table into a search and convert it to a table, I can see the field name 'Application_"

| makeresults
| eval _raw="hostname	ip	domain	Application 	hostcode	VLAN
ABCD	10.1.1.1	Domain1	Application1	AB	VLAN1
CDEF	10.1.1.2	Domain 1	Application2	CD	VLAN2"
| multikv forceheader=1

bowesmana_0-1658270380935.png

so, you should check your CSV to make sure it does not have some odd extra character 

Add this onto the end of your search so you can see if there are extra field name characters

| transpose 0
| search column="*Application*"
| eval column=":".column.":"

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 09:44 AM

What happens if you use where instead of search?  Have you tried quoting the values?

| where Application=Application1

 

---
If this reply helps you, Karma would be appreciated.
Reply

johnansett
Communicator
‎07-19-2022 10:18 AM

Same thing with: | where Application=Application1

And yep, tried with quoting the values, there are some with spaces so wondered if that was the issue, but same results...

None of these worked:

| where Application=Application1

| where Application="Application1"

| search Application=Application1

| search Application="Application1"

Likewise, using Application="*" also provides no results.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 12:45 PM

Make sure you're searching in Verbose mode.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...