https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510549#M34026 <P>sample:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="Job1, Job2, Job3 ccc,eee,zzz ddd,fff,aaa" | multikv forceheader=1 | table Job* | eval header="Job" | untable header job thing | streamstats count(eval(job="Job1")) as session | append [| makeresults | eval _raw="Job,Id aaa,1234 ccc,2345 ddd,9879 fff,6743 eee,8754 zzz,4006" | multikv forceheader=1 | table Job Id ] | eval thing=coalesce(thing,Job) | selfjoin thing | sort session job | eval {job}=thing | table session Job1 Job2 Job3 Id | streamstats count as number by session | foreach number [| eval Id{&lt;&lt;FIELD&gt;&gt;} = Id] | stats values(Job*) as Job* values(Id*) as Id* by session | table Job1 Id1 Job2 Id2 Job3 Id3</LI-CODE><P>&nbsp;</P><P>recommend:</P><P>| inputlookup yourlookup<BR />| eval header= .... | append [search yoursearch ] | eval thing= ....</P> Wed, 22 Jul 2020 22:22:37 GMT to4kawa 2020-07-22T22:22:37Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510544#M34025 <P>Search results</P> <LI-CODE lang="markup">Job,Id aaa,1234 ccc,2345 ddd,9879 fff,6743 eee,8754 zzz,4006</LI-CODE> <P>&nbsp;</P> <P><SPAN>Lookup file&nbsp;</SPAN></P> <LI-CODE lang="markup">Job1, Job2 , Job3 ccc,eee,zzz ddd,fff,aaa</LI-CODE> <P>&nbsp;</P> <P>Output table should look like below:</P> <LI-CODE lang="markup">Job1,id1,Job2,id2,Job3,id3 ccc,2345,eee,8754,zzz,4006 ddd,9879,fff,6743,aaa,1234</LI-CODE> <P><SPAN><SPAN>Tried join, append, appendcols but all are returning incorrect results</SPAN></SPAN></P> Thu, 23 Jul 2020 04:03:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510544#M34025 Shan1490 2020-07-23T04:03:19Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510549#M34026 <P>sample:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="Job1, Job2, Job3 ccc,eee,zzz ddd,fff,aaa" | multikv forceheader=1 | table Job* | eval header="Job" | untable header job thing | streamstats count(eval(job="Job1")) as session | append [| makeresults | eval _raw="Job,Id aaa,1234 ccc,2345 ddd,9879 fff,6743 eee,8754 zzz,4006" | multikv forceheader=1 | table Job Id ] | eval thing=coalesce(thing,Job) | selfjoin thing | sort session job | eval {job}=thing | table session Job1 Job2 Job3 Id | streamstats count as number by session | foreach number [| eval Id{&lt;&lt;FIELD&gt;&gt;} = Id] | stats values(Job*) as Job* values(Id*) as Id* by session | table Job1 Id1 Job2 Id2 Job3 Id3</LI-CODE><P>&nbsp;</P><P>recommend:</P><P>| inputlookup yourlookup<BR />| eval header= .... | append [search yoursearch ] | eval thing= ....</P> Wed, 22 Jul 2020 22:22:37 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510549#M34026 to4kawa 2020-07-22T22:22:37Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510571#M34027 <P>Hi to4kawa,</P><P>I have mentioned only 6 sample records, there are more than 500+ records as part of my search and in lookup file as well</P><P>Also I can't append my search because the search is based on two different lookup. in that case how to use</P><P>&nbsp;</P><P>recommend:</P><P>| inputlookup yourlookup<BR />| eval header= .... | append [search yoursearch ] | eval thing= ....</P> Thu, 23 Jul 2020 04:09:20 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510571#M34027 Shan1490 2020-07-23T04:09:20Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510606#M34028 <P>Is there a problem with my query?</P> Thu, 23 Jul 2020 09:47:29 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510606#M34028 to4kawa 2020-07-23T09:47:29Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510702#M34032 <P>Search results</P><P>Index=appln sourcetype=alog|lookup abc.csv..........| eval.....|eval.....| values(Job) ,values(id)</P><P>&nbsp;</P><P>Above search results 600+ rows in below format</P><PRE>Job,Id aaa,1234 ccc,2345 ddd,9879 fff,6743 eee,8754 zzz,4006</PRE><P>&nbsp;</P><P><SPAN>Lookupfile (has 600+ rows)</SPAN></P><PRE>Job1, Job2 , Job3 ccc,eee,zzz ddd,fff,aaa</PRE><P>&nbsp;</P><P>Output table should look like below(600 + rows)</P><PRE>Job1,id1,Job2,id2,Job3,id3 ccc,2345,eee,8754,zzz,4006 ddd,9879,fff,6743,aaa,1234</PRE><P>In the above case how will I get id1, id2 ,id3 results from above search by joining with lookup file</P><P>&nbsp;</P> Thu, 23 Jul 2020 17:30:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510702#M34032 Shan1490 2020-07-23T17:30:25Z https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510703#M34033 <P><SPAN>your query doesn't use my query's method. and I'm not sure your query.<BR /><BR />What's the problem with <STRONG>my</STRONG> query?<BR /></SPAN></P> Thu, 23 Jul 2020 17:36:03 GMT https://community.splunk.com/t5/Dashboards-Visualizations/How-to-joins-Tables-for-this-scenario/m-p/510703#M34033 to4kawa 2020-07-23T17:36:03Z