Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't search return result when I list a field of a lookup?

juanda667
Engager
‎12-12-2022 12:25 PM

I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the fields of the lookup. The search that return me one result, doesn't return me nothing, and I cant understand why, cause the table doesn't should affect the results or the search.

 

Even I try to change the name or different things like list the lookup and search the documents, but simply doesnt work

 

 

this is when I try to table "Nombre", the search doesn't return resultsjuanda667_4-1670876455314.png

juanda667_5-1670876467004.png

But this is exactly the same search and if I dont put the field "Nombre" , return me results

juanda667_7-1670876624820.png

 

 

 

this is the lookup, and if I search the document that match in the join, I see that effectively have the field "Nombre"

juanda667_2-1670876172166.png

 

In all the searches have a range of 7 days ago,

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...