https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363956#M107445 <P>Hi Team,</P> <P>How to display lookup fields along with search fields.</P> <P><STRONG>search Query</STRONG><BR /> index=AA* host=<EM>ABC</EM> source=/tmp/processMonitor* instance=<EM>XYZ</EM> apphome =*** | lookup boxdata host | search box_live_state="LIVE" | stats latest(state) as Status by host, apphome, instance, appmon | table host apphome instance appmon box_live_state</P> <P>Iam not getting anything under box_live_state, Is thr any way to display ??</P> <P><STRONG>boxdata</STRONG><BR /> box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host<BR /> QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01</P> <P><STRONG>Expecting output</STRONG> <BR /> host apphome instance appmon Status box_live_state<BR /> ABC /xy/abc abc 1 down Live</P> <P>Thanks<BR /> Harsha</P> Tue, 29 Sep 2020 15:19:01 GMT harsush 2020-09-29T15:19:01Z https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363956#M107445 <P>Hi Team,</P> <P>How to display lookup fields along with search fields.</P> <P><STRONG>search Query</STRONG><BR /> index=AA* host=<EM>ABC</EM> source=/tmp/processMonitor* instance=<EM>XYZ</EM> apphome =*** | lookup boxdata host | search box_live_state="LIVE" | stats latest(state) as Status by host, apphome, instance, appmon | table host apphome instance appmon box_live_state</P> <P>Iam not getting anything under box_live_state, Is thr any way to display ??</P> <P><STRONG>boxdata</STRONG><BR /> box_env box_live_state box_location box_model box_os box_patch box_rack box_rfb box_ver host<BR /> QA NOTLIVE ABC-DE HPXYZQ RHAS 1234 324 lxmcp 6.9 hostny01</P> <P><STRONG>Expecting output</STRONG> <BR /> host apphome instance appmon Status box_live_state<BR /> ABC /xy/abc abc 1 down Live</P> <P>Thanks<BR /> Harsha</P> Tue, 29 Sep 2020 15:19:01 GMT https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363956#M107445 harsush 2020-09-29T15:19:01Z https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363957#M107446 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/212940">@harsush</a>, please reverse the lookup pipe which should be after stats command. In your current query the stats command is removing enriched field/s from lookup including box_live_state.</P> <PRE><CODE>index=AA* host=ABC source=/tmp/processMonitor* instance=XYZ apphome =*** | stats latest(state) as Status by host, apphome, instance, appmon | lookup boxdata host | search box_live_state="LIVE" | table host apphome instance appmon box_live_state </CODE></PRE> <P>Also as per performance consideration, lookup should be performed after transforming commands ensuring records are reduced prior to correlating with the lookup file: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search</A></P> Tue, 29 Sep 2020 15:21:10 GMT https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363957#M107446 niketn 2020-09-29T15:21:10Z https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363958#M107447 <P>@harsush, please confirm whether your issue is resolved.</P> Tue, 29 Aug 2017 09:37:26 GMT https://community.splunk.com/t5/Splunk-Search/Display-Input-Lookup-Data/m-p/363958#M107447 niketn 2017-08-29T09:37:26Z