https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351932#M104154 <P>Thanks a lot for your replies!</P> <P>I receive this error:</P> <P>Error in 'rex' command: The regex '(?i)(Error=not starting because the task should|Error=Error getting data)' does not extract anything. It should specify at least one named group. Format: (?...).</P> Sun, 24 Sep 2017 09:52:06 GMT luc_k 2017-09-24T09:52:06Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351925#M104147 <P>Hi,</P> <P>I have a lookup table errors.csv ,which contains Error and Source columns.I have a query the returns log entries containing Error column values :</P> <P>[|inputlookup errors.csv | rename Error AS query | fields query ]</P> <P>How do I add the Source column to the results?</P> <P>Thanks,</P> <P>Luc </P> Wed, 20 Sep 2017 07:38:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351925#M104147 luc_k 2017-09-20T07:38:54Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351926#M104148 <P>Try this!</P> <P>|inputlookup errors.csv <BR /> |map search="search (your search) \"$Error$\"|eval Error=\"$Error$\", Source=\"$Source$\""</P> Wed, 20 Sep 2017 14:27:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351926#M104148 HiroshiSatoh 2017-09-20T14:27:37Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351927#M104149 <P>Hi<BR /> as the previous adding lookup command, try something like this</P> <PRE><CODE>your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ] | rename _raw as rawText | eval foo=[ | inputlookup your_lookup.csv | eval query="%"+Error+"%" | stats values(query) AS query | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" "" ] | eval foo=split(foo,",") | mvexpand foo | where like(rawText,foo) | rex field=foo "\%(?&lt;Error&gt;[^\%]*)\%" | lookup errors.csv Error OUTPUT Source | ... </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Wed, 20 Sep 2017 14:30:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351927#M104149 gcusello 2017-09-20T14:30:02Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351928#M104150 <P>try this,</P> <P>[|inputlookup errors.csv where Source=* | rename Error AS query | fields query Source | table query Source]</P> Wed, 20 Sep 2017 14:38:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351928#M104150 sbbadri 2017-09-20T14:38:48Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351929#M104151 <P>@sbbadri - The user didn't say so, but the brackets indicate that this is a subsearch, so this solution will not work. if Source got passed back at all, it would act as a limit on the main search, rather than giving extra information.</P> Wed, 20 Sep 2017 20:36:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351929#M104151 DalJeanis 2017-09-20T20:36:46Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351930#M104152 <P>@cusello - Not precisely the way I would do it, but it should work for moderate numbers of events and moderate numbers of records in the lookup. For larger numbers of records, I'd replace the <CODE>mvexpand</CODE> with a <CODE>rex</CODE> that pulls out those error values directly, rather than multiplying the number of records.</P> <P>Something like this...</P> <PRE><CODE> your_search [ | inputlookup your_lookup.csv | rename Error AS query | fields query ] | rex field=_raw [ | inputlookup your_lookup.csv | table Error | sort 0 - Error | rex mode=sed field=Error "s/ /!!!!/g" | format "(?i)(&lt;Error&gt;" "" "" "" "|" ")" | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"] | lookup your_lookup.csv Error OUTPUT Source </CODE></PRE> <P>Note that this is air code. I would test that rex-build subsearch with this first, to make sure the regular expression was well formed. </P> <PRE><CODE> | inputlookup your_lookup.csv | table Error | sort 0 - Error | rex mode=sed field=Error "s/ /!!!!/g" | format "(?i)(&lt;Error&gt;" "" "" "" "|" ")" | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g" </CODE></PRE> Wed, 20 Sep 2017 20:48:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351930#M104152 DalJeanis 2017-09-20T20:48:42Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351931#M104153 <P>@HiroshiSatoh - This will work, but I'd only do it for very small numbers of error messages (no more than 10, or at most 20). <CODE>map</CODE> is very expensive for what you get.</P> Wed, 20 Sep 2017 20:50:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351931#M104153 DalJeanis 2017-09-20T20:50:20Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351932#M104154 <P>Thanks a lot for your replies!</P> <P>I receive this error:</P> <P>Error in 'rex' command: The regex '(?i)(Error=not starting because the task should|Error=Error getting data)' does not extract anything. It should specify at least one named group. Format: (?...).</P> Sun, 24 Sep 2017 09:52:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/351932#M104154 luc_k 2017-09-24T09:52:06Z