https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393886#M6345 <P>What do you get when you run this entire search? Do you get records from your lookup table and nothing from the index?</P> Tue, 09 Apr 2019 14:21:51 GMT grittonc 2019-04-09T14:21:51Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393885#M6344 <P>hello</P> <P>In the search below I try to match host in "host.csv" with host which comes from a subsearch</P> <PRE><CODE>| inputlookup host.csv | table host | join type=left host [ search index=master-data-lookups sourcetype="view_splunk_assets" | stats count by HOSTNAME TOWN COUNTRY | fields - count | rename HOSTNAME as host] </CODE></PRE> <P>what is the problem because I have results when i execute <CODE>| inputlookup host.csv</CODE> OR <CODE>index=master-data-lookups sourcetype="view_splunk_assets" <BR /> | stats count by HOSTNAME TOWN COUNTRY<BR /> | fields - count <BR /> | rename HOSTNAME as host</CODE></P> <P>thanks</P> Tue, 09 Apr 2019 13:42:19 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393885#M6344 jip31 2019-04-09T13:42:19Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393886#M6345 <P>What do you get when you run this entire search? Do you get records from your lookup table and nothing from the index?</P> Tue, 09 Apr 2019 14:21:51 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393886#M6345 grittonc 2019-04-09T14:21:51Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393887#M6346 <P>Try this:</P> <PRE><CODE>index=master-data-lookups sourcetype="view_splunk_assets" | stats count by HOSTNAME TOWN COUNTRY | fields - count | rename HOSTNAME as host | appendpipe [|inputlookup host.csv | table host | eval sourcetype="csv"] | stats values(*) AS * BY host | search sourcetype="csv" </CODE></PRE> Tue, 09 Apr 2019 14:31:11 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393887#M6346 woodcock 2019-04-09T14:31:11Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393888#M6347 <P>What is the significance to putting the index search first?</P> Tue, 09 Apr 2019 15:07:39 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393888#M6347 grittonc 2019-04-09T15:07:39Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393889#M6348 <P>In your search statement, "host.csv" is 1 and ”subsearch” is the first one.<BR /> If you want "host.csv" to connect multiple ”subsearch” to 1 change the max value. </P> <P>host.csv<BR /> A<BR /> B<BR /> C</P> <P>”subsearch”<BR /> A TOWN1 COUNTRY1<BR /> A TOWN2 COUNTRY2<BR /> C TOWN3 COUNTRY3<BR /> C TOWN4 COUNTRY4</P> <P>your search results<BR /> A TOWN1 COUNTRY1<BR /> B<BR /> C TOWN3 COUNTRY3</P> <P>What do you want to do?</P> <P>join-options<BR /> Syntax: type=(inner | outer | left) | usetime= | earlier= | overwrite= | max=<BR /> Description: Options to the join command. Use either outer or left to specify a left outer join.</P> <P>max<BR /> Syntax: max=<BR /> Description: Specifies the maximum number of subsearch results that each main search result can join with. If set to max=0, there is no limit.<BR /> Default: 1</P> Tue, 09 Apr 2019 15:39:13 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393889#M6348 HiroshiSatoh 2019-04-09T15:39:13Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393890#M6349 <P>thanks a lot</P> Wed, 10 Apr 2019 04:47:39 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393890#M6349 jip31 2019-04-10T04:47:39Z https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393891#M6350 <P>Because the <CODE>appendpipe [|inputlookup ...]</CODE> trick that I invented somehow bypasses the subsearch limits, but the normal search will not.</P> Thu, 11 Apr 2019 01:36:50 GMT https://community.splunk.com/t5/Knowledge-Management/help-with-inputlookup-and-a-subsearch/m-p/393891#M6350 woodcock 2019-04-11T01:36:50Z