Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

adding lookup in query ending with incorrect result

abdul
Explorer
‎10-08-2021 02:33 AM

i am getting two diffrent results in total. query1 is providing acurate result. 

query2 as soom as adding |lookup locationdetails.csv City AS City total value to less than acurate one
using splunk version 7.3.71

query1
index=xyz source=xyz 
|eval Month=strftime(_time,"%b %Y")
|search Month="Mar 2021"
|search Product In (Sold,Damaged)
|stats count(Product) as Total 


query 2
index=xyz source=xyz 
|eval Month=strftime(_time,"%b %Y")
|search Month="Mar 2021"
|search Product in (Sold,Damaged)
|lookup locationdetails.csv City AS City
|stats count(Product) as Total 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-10-2021 05:24 PM

What are the fields in the lookup file?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-08-2021 07:12 AM

Seems strange indeed. Are you sure that your lookup doesn't overwrite Product field somehow? (you're not specifying output fields)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...