Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why doesn't search return result when I list a field of a lookup?

juanda667
Engager
‎12-12-2022 12:25 PM

I was trying to join a group of documents with a list of users that I had in a lookup, and the search return me results and always works fine, but the problem its when I try to table another of the fields of the lookup. The search that return me one result, doesn't return me nothing, and I cant understand why, cause the table doesn't should affect the results or the search.

 

Even I try to change the name or different things like list the lookup and search the documents, but simply doesnt work

 

 

this is when I try to table "Nombre", the search doesn't return resultsjuanda667_4-1670876455314.png

juanda667_5-1670876467004.png

But this is exactly the same search and if I dont put the field "Nombre" , return me results

juanda667_7-1670876624820.png

 

 

 

this is the lookup, and if I search the document that match in the join, I see that effectively have the field "Nombre"

juanda667_2-1670876172166.png

 

In all the searches have a range of 7 days ago,

 

Labels (3)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎12-12-2022 02:10 PM

If you have a lookup and you want to get data from the lookup into a data stream, use the lookup command, not join.

You should almost never need to use join.

Use

| lookup VIP_Empleados.csv LOOKUP_FIELD as DATA_FIELD OUTPUT wanted_fields

You can then test if the fields you want from the lookup are null (no match found) or present.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...