Splunk Search

"Join" on a lookup not returning everything

DBattisto
Communicator

Hello! I am troubleshooting a report, and I've cut it all down to the very basics with the following two snippets. Basically, 'join' with a csv is not returning expected results. This dataset between Sept-1 and Sept-2 has about 75,000 unique entries (but the base search with "value=374667" only has about 30!).

 

 

index="xxx" sourcetype="xxx" value="374667"
timeformat="%Y-%m-%d" earliest="2021-09-01" latest="2021-09-02"
| join value [inputlookup lookup.csv]
| dedup value
| chart count

 

 

The above query returns 0 (incorrect).

 

 

index="xxx" sourcetype="xxx" value="374667"
timeformat="%Y-%m-%d" earliest="2021-09-01" latest="2021-09-02"
| dedup value
| chart count

 

 

The above query returns 1 (expected).

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried a lookup instead of join with inputlookup?

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...