Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't search return result when I list a field of a lookup?

juanda667
Engager
‎12-12-2022 12:25 PM

I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the fields of the lookup. The search that return me one result, doesn't return me nothing, and I cant understand why, cause the table doesn't should affect the results or the search.

 

Even I try to change the name or different things like list the lookup and search the documents, but simply doesnt work

 

 

this is when I try to table "Nombre", the search doesn't return resultsjuanda667_4-1670876455314.png

juanda667_5-1670876467004.png

But this is exactly the same search and if I dont put the field "Nombre" , return me results

juanda667_7-1670876624820.png

 

 

 

this is the lookup, and if I search the document that match in the join, I see that effectively have the field "Nombre"

juanda667_2-1670876172166.png

 

In all the searches have a range of 7 days ago,

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...