https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475414#M81619 <P>There are multiple scenarios you use inputlookup<BR /> For example: <BR /> 1. <CODE>| inputlookup &lt;lookup file&gt;</CODE> This just outputs the content of the lookup file<BR /> 2. <CODE>&lt;your search&gt; |inputlookup &lt;lookup file&gt; append=true</CODE> This appends the content of your lookup file to the end of your search results</P> <P>You can view more examples here - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Inputlookup">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Inputlookup</A></P> <P>Cheers</P> Tue, 05 Nov 2019 12:40:16 GMT arjunpkishore5 2019-11-05T12:40:16Z https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475411#M81616 <P>Hi,<BR /> I am trying to use an inputlookup to enrich my search results table with additional fields from my inputlookup csv.<BR /> The scenario is that I am using a search to look for <STRONG>hostnames</STRONG> from events to match my CSV <STRONG>Device Name</STRONG> field and add the <STRONG>model</STRONG> number from my CSV also. I plan to add several more fields from my CSV but <STRONG>model</STRONG> field values is a start. I have tried to run the inputlookup sub-search but struggling to associate fields that are named differently between my search results and my CSV column titles.</P> <P>Many thanks</P> Tue, 05 Nov 2019 00:07:28 GMT https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475411#M81616 373782073 2019-11-05T00:07:28Z https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475412#M81617 <P>Based on what you described, what you need is the lookup command</P> <PRE><CODE>&lt;your search&gt; |lookup &lt;lookupfile&gt; "Device Name" as hostname OUTPUT &lt;comma separated fields from lookup&gt; </CODE></PRE> <P>Lookup documentation here - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Lookup</A></P> <P>Hope this helps.<BR /> Cheers</P> Tue, 05 Nov 2019 00:17:23 GMT https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475412#M81617 arjunpkishore5 2019-11-05T00:17:23Z https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475413#M81618 <P>That did the trick. Not sure why I steered into looking at inputlookup. Would you have any examples on applying inputlookup ?</P> Tue, 05 Nov 2019 04:12:58 GMT https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475413#M81618 373782073 2019-11-05T04:12:58Z https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475414#M81619 <P>There are multiple scenarios you use inputlookup<BR /> For example: <BR /> 1. <CODE>| inputlookup &lt;lookup file&gt;</CODE> This just outputs the content of the lookup file<BR /> 2. <CODE>&lt;your search&gt; |inputlookup &lt;lookup file&gt; append=true</CODE> This appends the content of your lookup file to the end of your search results</P> <P>You can view more examples here - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Inputlookup">https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/Inputlookup</A></P> <P>Cheers</P> Tue, 05 Nov 2019 12:40:16 GMT https://community.splunk.com/t5/Getting-Data-In/Using-inputlookup-to-enrich-results-table-with-a-common-field/m-p/475414#M81619 arjunpkishore5 2019-11-05T12:40:16Z