How to return values from lookup which are not mat... - Splunk Community

Splunk Search

Hi
I currently have a search which returns a list of users with employee id from a user lookup

eg: user lookup has the following information
syyyyyy
sxxxxxx
szzzzzz

My initial search returns syyyyy, sxxxxx but I want the search to return szzzzzz. But my below search is not returning any results

*index=idx_xxxxx sourcetype="cisco:xxx" svc | rename user as identity
| lookup local=true wfh_names_def identity OUTPUT identity, name
| search identity NOT
[| lookup local=true wfh_names_def identity OUTPUT identity, name] *

Could anyone please help

Thanks & Regards
Kavya Dekkata

Do the lookup first, then use join to combine your search results with the base lookup values.

For example,

| inputlookup host.csv | join type=left host [metadata type=hosts]

Doing an individual "| metadata type=hosts" search would give me host "A" and "B". In my csv file, I have "A", "B", "C", "D". Doing the above query would give me everything in my lookup file.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open! conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor. HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...