Splunk Enterprise Security

How to fix - Lookup file working properly when running "inputlookup" command but in search time not all fields are extracted.

yossefn
Path Finder

I have a lookup file to add additional fields to events.
When running the "inputlookup" command I can see all the fields (4) just fine, but when running a search I see just 3 values from the 4 values in the table.
I've checked multiple times the spelling, removed and added the lookup but I still see just part of the lookup data.

Does anyone have an idea?
Thank you.

0 Karma

wmyersas
Builder

When you use a lookup, you're finding data in the table based on a field in your search data

Therefore, if you're doing a lookup on field1, you won't see it added in your output - because it was already there in your event data

0 Karma

gaurav_maniar
Builder

to assist better, please provide some example and query for the in which you are using the lookup.

nickhills
Ultra Champion

can you provide some examples?
Does your automatic lookup specify all 4 output fields?

If my comment helps, please give it a thumbs up!
0 Karma

yossefn
Path Finder

I can share, but it'll not help you since part of the data is in Hebrew.
I'm trying to make a lookup that will add data in English in addition to the Hebrew text so i'll be able to query in more efficient way.

What do you mean by "all 4 output fields"? It's all in the same field - different values. It's all door names in the same field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...