Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do search lookup returns no results found?

johnansett
Communicator
‎07-19-2022 09:11 AM

Hello!

We are enriching some data and want to be able to then search the results matched from the lookup table.  It works and we can search one of the lookup tables, but the other doesn't return any results, although they are there.... Here is the base search:

 

 

index="allhosts" ip=* 
| stats count by hostname, ip, domain 
| eval hostname=upper(hostname)
| rex field=hostname "^(?P<hostcode>..)" 
| lookup hostcode.csv hostcode AS hostcode 
| lookup applications.csv ipaddress AS ip
| lookup vlan.csv Subnet AS ip

 

 

 

 

 

This works great, I can see a table with all hosts, their first two letters (naming convention) and then matched with their application and vlan... 

hostname ip domain Application  hostcode VLAN
ABCD 10.1.1.1 Domain1 Application1 AB VLAN1
CDEF 10.1.1.2 Domain 1 Application2 CD VLAN2


When I add 
| search VLAN=VLAN1, it shows only the first row.... same when I add VLAN2

BUT
When if I add
| search Application=Application1, no results.  If I add | search Application=*, no results....

Any ideas why this particular field will not return results?!

Thanks!

Labels (1)
Labels
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-19-2022 03:41 PM

There is an odd character in your field 'Application". If I copy/paste your table into a search and convert it to a table, I can see the field name 'Application_"

| makeresults
| eval _raw="hostname	ip	domain	Application 	hostcode	VLAN
ABCD	10.1.1.1	Domain1	Application1	AB	VLAN1
CDEF	10.1.1.2	Domain 1	Application2	CD	VLAN2"
| multikv forceheader=1

bowesmana_0-1658270380935.png

so, you should check your CSV to make sure it does not have some odd extra character 

Add this onto the end of your search so you can see if there are extra field name characters

| transpose 0
| search column="*Application*"
| eval column=":".column.":"

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 09:44 AM

What happens if you use where instead of search?  Have you tried quoting the values?

| where Application=Application1

 

---
If this reply helps you, Karma would be appreciated.
Reply

johnansett
Communicator
‎07-19-2022 10:18 AM

Same thing with: | where Application=Application1

And yep, tried with quoting the values, there are some with spaces so wondered if that was the issue, but same results...

None of these worked:

| where Application=Application1

| where Application="Application1"

| search Application=Application1

| search Application="Application1"

Likewise, using Application="*" also provides no results.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2022 12:45 PM

Make sure you're searching in Verbose mode.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...