Re: lookup data not population in final part of qu...

vk1544 · ‎11-07-2023

Hi all

i have the below query where i have a lookup file with Error messages im trying to match the error messages in the lookup and then matching those in the rawdata and showing in table. However my final result query field is coming as empty rest all are populating. Need help in the query i was trying to add before the table command | lookup ErrorMessage.csv query OUTPUT query but not working need help

index=abc host="LINUX123" " source="/new/dir/apps/servers/service*.log" "Error data*" [ | inputlookup ErrorMessage.csv | fields + ErrorMessage | rename ErrorMessage as query] | table _time,host,query, _raw

lookup file content

ErrorMessage.csv

File Not Found

Error data in client transacton

thanks in advance

ITWhisperer · ‎11-07-2023

The query field (like the search field) are special cases in subqueries as they are not passed to the outer search, only their values are. This is why the final query field is empty.

lookup data not population in final part of query

lookup

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?