https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506675#M80 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214488">@irishmanjb</a>&nbsp;</P><P>This should work</P><P><FONT color="#FF0000"><SPAN>index="blah" sourcetype="blah:csv"</SPAN></FONT><BR /><FONT color="#FF0000"><SPAN>[ | inputlookup SerialNumber | table filedname | format ]</SPAN></FONT></P><P><SPAN>The field name in the lookup should match with the field name in index. If its not the same use</SPAN></P><P><FONT color="#FF0000"><SPAN>rename fieldname as fieldname1 (fieldname1 is in the index)</SPAN></FONT></P><P><SPAN>If the field name has a white space like "Serial Number", wrap it in quotes like "filed name"</SPAN></P> Tue, 30 Jun 2020 13:08:34 GMT anilchaithu 2020-06-30T13:08:34Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506672#M79 <P>Hello</P><P>I currently get CSV results from a daily import into Splunk.&nbsp; The first field is a serial number in this format INA field called "Serial Number" like this "xxx<SPAN class="t">-xxx-xxx</SPAN>" it is the first field in the raw_data results.</P><P>I have a lookup&nbsp; called SerialNumber that has a series of serial numbers with the same format I want to check for in the daily report.&nbsp; I have tested the lookup alone in Splunk and it works fine. It has about 20 serial numbers that I want to check for in the daily results. If there is a match just return the serial number or true</P><P>index="blah" sourcetype="blah:csv"<BR />[ | inputlookup SerialNumber ]<BR />fields&nbsp;<BR /><BR /><BR /><BR />thanks for your help<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Jun 2020 12:42:19 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506672#M79 irishmanjb 2020-06-30T12:42:19Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506675#M80 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214488">@irishmanjb</a>&nbsp;</P><P>This should work</P><P><FONT color="#FF0000"><SPAN>index="blah" sourcetype="blah:csv"</SPAN></FONT><BR /><FONT color="#FF0000"><SPAN>[ | inputlookup SerialNumber | table filedname | format ]</SPAN></FONT></P><P><SPAN>The field name in the lookup should match with the field name in index. If its not the same use</SPAN></P><P><FONT color="#FF0000"><SPAN>rename fieldname as fieldname1 (fieldname1 is in the index)</SPAN></FONT></P><P><SPAN>If the field name has a white space like "Serial Number", wrap it in quotes like "filed name"</SPAN></P> Tue, 30 Jun 2020 13:08:34 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506675#M80 anilchaithu 2020-06-30T13:08:34Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506678#M81 <P>If your data and the CSV file use the same field names then this should work.&nbsp;</P><LI-CODE lang="markup">index="blah" sourcetype="blah:csv" [ | inputlookup SerialNumber | format ] | table *</LI-CODE><P>If the field names are different then add a <FONT face="courier new,courier">rename</FONT> command within the subsearch.</P><LI-CODE lang="markup">index="blah" sourcetype="blah:csv" [ | inputlookup SerialNumber | rename "Serial Number" as serialNumber | format ] | table *</LI-CODE> Tue, 30 Jun 2020 13:11:50 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506678#M81 richgalloway 2020-06-30T13:11:50Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506694#M82 <P>Thanks for the follow up!</P> Tue, 30 Jun 2020 13:56:01 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Inputlookup-help/m-p/506694#M82 irishmanjb 2020-06-30T13:56:01Z