https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379322#M111152 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206066">@twh1</a></P> <P>I would suggest you two ways here:<BR /> 1. Use automatic lookup based where for sourcetype="test:data"<BR /> in input fields you can mention PROC_CODE and if you want fields from lookup them you can use field value override option.<BR /> By using that the fields will be automatically will be available in search <BR /> like </P> <PRE><CODE> index="test_data" sourcetype="test:data" | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE </CODE></PRE> <OL> <LI><P>Other way is using lookup as suggested by <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> in comments:<BR /> like </P> <P>index="test_data" sourcetype="test:data" <BR /> | lookup PROC_CODE as PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE <BR /> | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE</P></LI> </OL> Wed, 30 Sep 2020 01:14:45 GMT vishaltaneja070 2020-09-30T01:14:45Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379320#M111150 <P>I have requirement to print product details in a table. where i am getting some value from the log and some i have print based on matching product code from lookup table. </P> <P>I tried below query and I am getting result in proper format.</P> <PRE><CODE>| inputlookup PROC_DETAIL | table PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | join PROC_CODE [ search index="test_data" sourcetype="test:data" | table TIMESTAMP SID PROC_CODE PROC_VALUE SYS_NAME ] | fields TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE </CODE></PRE> <P>But when I am expanding time range to see more data, my result count is remaining same, as I am matching the value from lookup table. I want to main my log data as main search and for each event, i want value of <STRONG>PROC_NAME PROC_PARA PROC_TYPE</STRONG> should come from lookup table based on matching <STRONG>PROC_CODE</STRONG>. </P> Wed, 30 Sep 2020 01:14:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379320#M111150 twh1 2020-09-30T01:14:37Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379321#M111151 <P>Hi twh1,<BR /> if you put a search in subsearch, you have the limit of 50,000 results, so expanding the time range you don't have additional results.<BR /> Anyway, the lookup command is like a join command so, rebuild your search inverting the terms.<BR /> In addition, you don't need to use the table command in intermediate part of the search.<BR /> In other words, try something like this:</P> <PRE><CODE>index="test_data" sourcetype="test:data" | lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE </CODE></PRE> <P>beware that the key field PROC_CODE must be the same in search and lookup (and it's case sensitive), if it's different, add the option <CODE>PROC_CODE AS other_PROC_CODE</CODE>.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 30 Sep 2020 01:11:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379321#M111151 gcusello 2020-09-30T01:11:04Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379322#M111152 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206066">@twh1</a></P> <P>I would suggest you two ways here:<BR /> 1. Use automatic lookup based where for sourcetype="test:data"<BR /> in input fields you can mention PROC_CODE and if you want fields from lookup them you can use field value override option.<BR /> By using that the fields will be automatically will be available in search <BR /> like </P> <PRE><CODE> index="test_data" sourcetype="test:data" | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE </CODE></PRE> <OL> <LI><P>Other way is using lookup as suggested by <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> in comments:<BR /> like </P> <P>index="test_data" sourcetype="test:data" <BR /> | lookup PROC_CODE as PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE <BR /> | table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE</P></LI> </OL> Wed, 30 Sep 2020 01:14:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379322#M111152 vishaltaneja070 2020-09-30T01:14:45Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379323#M111153 <P>Thanks @gcusello , it helped me alot. </P> Fri, 05 Jul 2019 18:49:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379323#M111153 twh1 2019-07-05T18:49:40Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379324#M111154 <P>Try this:</P> <PRE><CODE>index="test_data" sourcetype="test:data" | lookup PROC_DETAIL PROC_CODE OUTPUT PROC_NAME PROC_PARA PROC_TYPE </CODE></PRE> Sat, 06 Jul 2019 00:03:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-in-subsearch-with-join/m-p/379324#M111154 woodcock 2019-07-06T00:03:07Z