Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is lookup command not giving result as expected?

RanjiRaje
Explorer
‎04-13-2023 08:43 AM

Hi All, I am facing some issue in using lookup command. Need your suggestions here please..

I have a lookup file as below: In that I have same host under different base.

Base Host Category
X device1 Lin
X device2 Win
X device3 Lin
M device2 Lin
M device14 Win
M device15 Win

I need to compare the hosts (from Base 'M') with hostname reporting under particular index and need to get the list of matching hosts.

Query:
index=indexA
| lookup lookupfilename Host as hostname OUTPUTNEW Base,Category
| fields hostname,Base,Category
| stats count by hostname,Base,Category
| where Base="M"

As per my lookup file, I should get output as below (considering device2 & device14 available in splunk index)

hostname Base Category
device2 M Lin
device14 M Win

But I am getting 2 entries under device2 as below (entry under category "Win" is incorrect) :

hostname Base Category
device2 M Win
device2 M Lin
device14 M Win

Please help me on the query that I have framed. thanks in advance

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-15-2023 07:11 PM

The problem is that your lookup will create TWO multivalued fields: "Base" and "Category" and unless you entangle them row-wise they association will be lost.  You can do this 2 ways.  You can merge the 2 fields into a single field called "Base_and_Category" and then do filter/split/mevexpand, but this is probably more trouble than it is worth.  The other option is to lookup each (potentially) multivalue field separately and filter/stats/mvexpand before doing the other field.  Try this:

|makeresults
| eval _raw="
Base Host Category
X device1 Lin
X device2 Win
X device3 Lin
M device2 Lin
M device14 Win
M device15 Win"
| multikv forceheader=1
| fields - _* linecount
| outputlookup eraseme.csv
| stats count BY Host
| rename Host AS hostname

| rename COMMENT AS "Everything above is setup; everything below is your answer"

| lookup eraseme.csv Host AS hostname OUTPUT Base
| stats count BY hostname Base
| search Base="M"
| lookup eraseme.csv Host AS hostname Base OUTPUT Category

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎04-13-2023 01:21 PM

Is it possible that your lookup table has data entry error?  Use this as a test:

| lookup lookupfilename
| stats count by Host Base Category
| rename Host as hostname 
| where Base == "M" AND hostname == "device2"

Does this give you the desired results?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-13-2023 09:28 AM 
| eval Base="M"
| lookup hosts.csv Host as hostname Base OUTPUTNEW Category
| fields hostname,Base,Category
| stats count by hostname,Base,Category
0 Karma
Reply

RanjiRaje
Explorer
‎04-13-2023 09:39 AM

Hi , thanks for your suggestion. I tried the way u said. but it is also not providing the result as expected

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-13-2023 09:48 AM

OK that seems unlikely as setting the Base to "M" and including in the lookup would mean that only rows with Base="M" and Host=hostname would be returned.

What other rows are you getting back from the lookup (that you weren't expecting?)?

0 Karma
Reply

RanjiRaje
Explorer
‎04-13-2023 10:03 AM

The other Base which has the same hostname is getting included in my result which is incorrect.

in my example:

Host "device2 " is present in both the Base (M, X). As per my where condition, I should get only Base 'M' with Category 'Lin'

But I am getting 2 entries for device2 (by referring both the Base) with Category 'Lin' and 'Win'

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-13-2023 03:41 PM

Is it possible that Base is coming from your events in the index?

Please show your full SPL where this is failing.

0 Karma
Reply
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...