https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/636877#M108929 <P>I am running script to get ping status of the servers and i onboarded the logs and extract filed as Servers.Now in my inputlookup i have 5 fields (ServerName,ApplicationName,Environment,Alias,IPAdress).So i need to map the query result with inputlookup.</P><P>Index=* sourcetype=StatusPing |rex field=_raw "^[^\|\n]*\|\s+(?P&lt;Servers&gt;[^ ]+)" | eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")|append [|inputlookup PingStatus.csv|rename Servers as ServerName ]|table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status</P><P>Thanks in Advance</P> Fri, 31 Mar 2023 13:32:18 GMT karthi2809 2023-03-31T13:32:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/636877#M108929 <P>I am running script to get ping status of the servers and i onboarded the logs and extract filed as Servers.Now in my inputlookup i have 5 fields (ServerName,ApplicationName,Environment,Alias,IPAdress).So i need to map the query result with inputlookup.</P><P>Index=* sourcetype=StatusPing |rex field=_raw "^[^\|\n]*\|\s+(?P&lt;Servers&gt;[^ ]+)" | eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down")|append [|inputlookup PingStatus.csv|rename Servers as ServerName ]|table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status</P><P>Thanks in Advance</P> Fri, 31 Mar 2023 13:32:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/636877#M108929 karthi2809 2023-03-31T13:32:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/636878#M108930 <P>Use <FONT face="courier new,courier">lookup</FONT> rather than <FONT face="courier new,courier">inputlookup</FONT>.</P><LI-CODE lang="markup">index=foo sourcetype=StatusPing | rex field=_raw "^[^\|\n]*\|\s+(?P&lt;Servers&gt;[^ ]+)" | eval Status=case(Lost=0, "UP", Lost=2, "Warning", Lost=4, "Down") | rename Servers as ServerName | lookup PingStatus.csv ServerName | table Alias,EnvironmentName,ApplicationName,ServerName,IPAddress,Lost,Status</LI-CODE><P>Don't use <FONT face="courier new,courier">index=*</FONT> in a production query.&nbsp; Your Splunk admin will hate you for it.&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Fri, 31 Mar 2023 13:37:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/636878#M108930 richgalloway 2023-03-31T13:37:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/638542#M109033 <P>Thanks</P> Tue, 04 Apr 2023 05:38:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-map-my-query-with-inputlookup-values/m-p/638542#M109033 karthi2809 2023-04-04T05:38:45Z