https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63558#M3922 <P>eventtype=bluecoat [| inputlookup wfap_lookup | where wfap_priority=2 | fields wfap_indicator | rename wfap_indicator as search| format "" "(" "OR" ")" "OR" ""] user="test"</P> <P>The lookup will contain values such as:</P> <P>string priority</P> <P>car 0<BR /> "red car" 2<BR /> "blue car" 1<BR /> red 3</P> <P>The problem I am having is with the multi-string values. For example, if I am looking for "red car", the search above will find within an event red and car, but not always as the string "red car". The event might have someting like, "Red is a nice color. A fast car is fun to drive".</P> Mon, 28 Sep 2020 12:27:34 GMT mcbradford 2020-09-28T12:27:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63558#M3922 <P>eventtype=bluecoat [| inputlookup wfap_lookup | where wfap_priority=2 | fields wfap_indicator | rename wfap_indicator as search| format "" "(" "OR" ")" "OR" ""] user="test"</P> <P>The lookup will contain values such as:</P> <P>string priority</P> <P>car 0<BR /> "red car" 2<BR /> "blue car" 1<BR /> red 3</P> <P>The problem I am having is with the multi-string values. For example, if I am looking for "red car", the search above will find within an event red and car, but not always as the string "red car". The event might have someting like, "Red is a nice color. A fast car is fun to drive".</P> Mon, 28 Sep 2020 12:27:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63558#M3922 mcbradford 2020-09-28T12:27:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63559#M3923 <P>You can check exactly what the subsearch will return by just running it on its own, including the <CODE>format</CODE> at the end. I just tried recreating your scenario and get the search string <CODE>( "red car" ) OR ( "blue car" )</CODE>. If you're getting the same string, I don't see why Splunk would behave like you describe. It should match the whole string, not inidividual words.</P> Tue, 18 Sep 2012 16:03:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63559#M3923 Ayn 2012-09-18T16:03:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63560#M3924 <P>I would agree with Ayn, but when I ran it, the search didn't have the quotes around "red car". I added this: <CODE>| eval search = "\"" .search."\"" |</CODE> before the format and it returned with the quoted "red car", which will search for "red car" and not "red AND car".</P> Tue, 18 Sep 2012 18:25:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/search-help-against-lookup-values/m-p/63560#M3924 alacercogitatus 2012-09-18T18:25:04Z