https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362957#M92875 <P>Thanks for the reply. It will be separate rows as entries </P> Fri, 23 Jun 2017 19:03:24 GMT dxw350 2017-06-23T19:03:24Z https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362955#M92873 <P>I am using lookup commands for data in a csv file and trying to map src_ip to the HOST and the SERVER in different rows. As an example<BR /> MY ISSUE: There are always entries for both Host and Server, but if the Server entry is not listed as a separate row in the HOST column I need to add it as a reciprocal row. Is there a way to do that with |lookup HOST as src_ip OUTPUT src_ip dest_zone SERVER |lookup SERVER as src_ip OUTPUT src_ip dest_zone SERVER<BR /> Example:<BR /> HOST SERVER<BR /> 192.168..1.1 192.168.2.10<BR /> 192.168.2.10 192.168.1.1 This pair is good</P> <P>192.168.1.3 192.168.2.11<BR /> Missing reciprocal This row needs the reverse</P> Tue, 29 Sep 2020 14:34:35 GMT https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362955#M92873 dxw350 2020-09-29T14:34:35Z https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362956#M92874 <P>Is your query like this? (there might be a type in first lookup)</P> <PRE><CODE>your base search giving field src_ip |lookup HOST as src_ip OUTPUT src_ip dest_zone HOST |lookup SERVER as src_ip OUTPUT src_ip dest_zone SERVER </CODE></PRE> <P>The example output, is it single rows or two rows? </P> Fri, 23 Jun 2017 19:00:01 GMT https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362956#M92874 somesoni2 2017-06-23T19:00:01Z https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362957#M92875 <P>Thanks for the reply. It will be separate rows as entries </P> Fri, 23 Jun 2017 19:03:24 GMT https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362957#M92875 dxw350 2017-06-23T19:03:24Z https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362958#M92876 <P>I wouldn't spend a minute thinking about this...</P> <PRE><CODE>| inputlookup SERVER | appendpipe [ | eval hold=HOST | eval HOST=SERVER | eval SERVER=hold | fields - hold] | dedup HOST SERVER | outputlookup append=f SERVER </CODE></PRE> Fri, 23 Jun 2017 19:33:45 GMT https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362958#M92876 DalJeanis 2017-06-23T19:33:45Z https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362959#M92877 <P>hi,</P> <P>I tried your appendpipe solution and it didn't work. I only have one inputlookup csv called "data_file.csv". How can the following be corrected to work?</P> <P>index=firewall_juniper sourcetype="juniper:junos:firewall" |dedup src_ip dest_ip | lookup data_file HOST_IP as src_ip output APPLICATION_SERVICE SERVER_IP |search APPLICATION_SERVICE=$param_app$ | inputlookup data_file| appendpipe [ | eval hold=HOST_IP | eval HOST_IP=SERVER_IP | eval SERVER_IP=hold | fields-hold] | dedup HOST_IP SERVER_IP | outputlookup append=f PARITY_SERVER_IP |search APPLICATION_SERVICE=$param_app$ |table src_ip src dest_ip HOSTNAME SERVER_IP </P> Tue, 29 Sep 2020 14:39:19 GMT https://community.splunk.com/t5/Getting-Data-In/reciprocal-entries-in-next-row/m-p/362959#M92877 dxw350 2020-09-29T14:39:19Z