Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't search return result when I list a field of a lookup?

juanda667
Engager
‎12-12-2022 12:25 PM

I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the fields of the lookup. The search that return me one result, doesn't return me nothing, and I cant understand why, cause the table doesn't should affect the results or the search.

 

Even I try to change the name or different things like list the lookup and search the documents, but simply doesnt work

 

 

this is when I try to table "Nombre", the search doesn't return resultsjuanda667_4-1670876455314.png

juanda667_5-1670876467004.png

But this is exactly the same search and if I dont put the field "Nombre" , return me results

juanda667_7-1670876624820.png

 

 

 

this is the lookup, and if I search the document that match in the join, I see that effectively have the field "Nombre"

juanda667_2-1670876172166.png

 

In all the searches have a range of 7 days ago,

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...