https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344754#M102133 <P>This worked perfectly!!! Thank you. </P> <P>[| inputlookup lookupfile | table user | dedup user]<BR /> | ... rest of the search<BR /> | lookup lookupfile user OUTPUT "Full Name" "Dept #" ..all other fields</P> Fri, 02 Aug 2019 17:10:08 GMT jaxjohnny2000 2019-08-02T17:10:08Z https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344749#M102128 <P>I have an index that contains a field called user. I have a lookup file that also contains the header user, in addition to various other columns headers with other values.</P> <P>How do I write a search that only returns the users that are listed in the Lookup file? I've tried the following, but I'm still seeing every user returned when I do a stats or something similiar</P> <PRE><CODE>| lookup lookupfile user as user </CODE></PRE> <P>Thx</P> Wed, 13 Dec 2017 16:18:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344749#M102128 jwalzerpitt 2017-12-13T16:18:04Z https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344750#M102129 <P>At first glance it seems like you're wanting to filter your results using lookupfile. By default the lookup command adds additional fields to your results. In order to filter you're probably going to want to use inputlookup in a subsearch. </P> <P>Basic example:</P> <P>index=abc sourcetype=abcdef [search | inputlookup lookupfile | fields user]...</P> Wed, 13 Dec 2017 16:40:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344750#M102129 snowmizer 2017-12-13T16:40:06Z https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344751#M102130 <P>The <CODE>| lookup</CODE> command is data enrichment command (adds more information from lookup table to current result based on matching field). What you need is a subsearch to use lookup as filter, like this</P> <PRE><CODE>Your base search [| inputlookup lookupfile | table user | dedup user] | ... rest of the search </CODE></PRE> <P>OR</P> <PRE><CODE>your current search | search [| inputlookup lookupfile | table user | dedup user] </CODE></PRE> Wed, 13 Dec 2017 16:40:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344751#M102130 somesoni2 2017-12-13T16:40:53Z https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344752#M102131 <P>Thx for the clarification</P> <P>If I wanted to add additional fields from the lookup file, such as Full Name, Dept #, while still matching only those user names in the lookup file, how would I perform that search?</P> <P>Thx</P> Wed, 13 Dec 2017 16:54:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344752#M102131 jwalzerpitt 2017-12-13T16:54:04Z https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344753#M102132 <P>You would need to use both filter and enrichment version for that. The optimum approach would to filter first and then enrich, like this</P> <PRE><CODE>Your base search [| inputlookup lookupfile | table user | dedup user] | ... rest of the search | lookup lookupfile user OUTPUT "Full Name" "Dept #" ..all other fields </CODE></PRE> Wed, 13 Dec 2017 17:04:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344753#M102132 somesoni2 2017-12-13T17:04:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344754#M102133 <P>This worked perfectly!!! Thank you. </P> <P>[| inputlookup lookupfile | table user | dedup user]<BR /> | ... rest of the search<BR /> | lookup lookupfile user OUTPUT "Full Name" "Dept #" ..all other fields</P> Fri, 02 Aug 2019 17:10:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-return-values-that-match-column-in-Lookup-table/m-p/344754#M102133 jaxjohnny2000 2019-08-02T17:10:08Z