https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370108#M109013 <P>The lookup simply adds fieldB to events in index=foo where fieldA is matched. If fieldA is not matched, the event still shows up, but fieldB is null. Therefore the not isnull fulfills the "show only results matching fieldA in foo2" requirement.</P> Tue, 09 May 2017 17:12:34 GMT chrishartsock 2017-05-09T17:12:34Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370099#M109004 <P>I have an index=foo and a lookup table defined as foo2. How can I compare my index to the table to show only results matching fieldA in foo2 and pulling fieldB from foo2?</P> <P>I have tried below and many variations of it but I get no results.</P> <PRE><CODE>index=foo [| inputlookup foo2 | fields fieldA] index=foo | lookup foo2 fieldA OUTPUT fieldB </CODE></PRE> Tue, 09 May 2017 15:00:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370099#M109004 mgrosholz 2017-05-09T15:00:09Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370100#M109005 <P>Is fieldA the same name in foo and foo2?</P> Tue, 09 May 2017 15:19:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370100#M109005 chrishartsock 2017-05-09T15:19:31Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370101#M109006 <P>No. It is not. Should it be? </P> Tue, 09 May 2017 15:21:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370101#M109006 mgrosholz 2017-05-09T15:21:09Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370102#M109007 <P>Not necessarily. But since it is different you will need to rename fieldA to what it is in foo:</P> <P>index=foo<BR /> | lookup foo2 fieldA AS fieldA_name_in_foo OUTPUT fieldB</P> Tue, 29 Sep 2020 13:59:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370102#M109007 chrishartsock 2020-09-29T13:59:49Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370103#M109008 <P>Sweet we are getting somewhere! I got the output of fieldB but results are still showing all results of fieldA not just what populates compared to the lookup table. &lt;--does that make sense?</P> Tue, 09 May 2017 15:29:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370103#M109008 mgrosholz 2017-05-09T15:29:27Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370104#M109009 <P>Ultimately, you should be able to do:</P> <P>index=foo<BR /> | lookup foo2 fieldA AS fieldA_name_in_foo OUTPUT fieldB<BR /> | where NOT isnull(fieldB)</P> Tue, 29 Sep 2020 13:59:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370104#M109009 chrishartsock 2020-09-29T13:59:52Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370105#M109010 <P>I had a typo on my end. It works.</P> Tue, 09 May 2017 15:35:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370105#M109010 mgrosholz 2017-05-09T15:35:38Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370106#M109011 <P>Why did you add the not null for fieldB?</P> Tue, 09 May 2017 15:36:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370106#M109011 mgrosholz 2017-05-09T15:36:23Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370107#M109012 <P>Oh, and thanks btw.</P> Tue, 09 May 2017 15:41:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370107#M109012 mgrosholz 2017-05-09T15:41:27Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370108#M109013 <P>The lookup simply adds fieldB to events in index=foo where fieldA is matched. If fieldA is not matched, the event still shows up, but fieldB is null. Therefore the not isnull fulfills the "show only results matching fieldA in foo2" requirement.</P> Tue, 09 May 2017 17:12:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-to-a-lookup-table-and-pull-fields/m-p/370108#M109013 chrishartsock 2017-05-09T17:12:34Z