https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393589#M114452 <P>hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/148120">@ndaniel88</a> </P> <P>try liek this <BR /> | inputlookup my_names.csv | fields Name | rename Name as names <BR /> |append [search index=my_index sourcetype=my_st names=* | fields number names]<BR /> | reverse |dedup name |sort name |fillnull value="Not Found" number</P> Tue, 29 Sep 2020 22:04:09 GMT harishalipaka 2020-09-29T22:04:09Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393586#M114449 <P>Hello, I'm trying to do an outer join, but without actually using a join, </P> <P>I have a lookup with names and based on these names, I need to perform the search and return all values on the lookup, even if they were not found on the search. For example:</P> <P><STRONG>lookup</STRONG><BR /> name<BR /> a<BR /> b<BR /> c<BR /> d<BR /> e<BR /> f<BR /> g</P> <P><STRONG>search</STRONG><BR /> name | number<BR /> a | 12:34:56<BR /> b | 09:87:76<BR /> e | 45:23:65</P> <P>So, the result should be something like:</P> <P>a | 12:34:56<BR /> b | 09:87:76<BR /> c | Not found<BR /> d | Not found<BR /> e | 45:23:65<BR /> f | Not found<BR /> g | Not found</P> <P>This is my search so far which is working, but I dont want to use join, because it takes sooo long to complete because a big amount of events:</P> <PRE><CODE>| inputlookup my_names.csv | fields Name | rename Name as names | join type=left names[search index=my_index sourcetype=my_st names=* | fields number names | dedup names | stats latest(number) by names </CODE></PRE> <P>Thanks in advance.</P> Wed, 14 Nov 2018 22:48:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393586#M114449 ndaniel88 2018-11-14T22:48:41Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393587#M114450 <P>hi @ndaniel88 </P> <P>try like this you will get..<BR /> pls accept answer or upvote it if helped.:)</P> <PRE><CODE>|makeresults |eval name="a" |append [|makeresults |eval name="b"] |append [|makeresults |eval name="c"]|append [|makeresults |eval name="d"] |table name|append [|makeresults |eval name="a" ,number="12:34:56" |append [|makeresults |eval name="c" ,number="45:23:65"] |table name number] | reverse |dedup name |sort name |fillnull value="Not Found" number </CODE></PRE> Thu, 15 Nov 2018 10:51:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393587#M114450 harishalipaka 2018-11-15T10:51:04Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393588#M114451 <P>I'm not sure this is what I'm looking for. I don't get how to transform this for use a lookup and a search.</P> <P>Probably I didn't explain myself correctly. My main information comes from the lookup, even if there is match or not inside the search, I need to print all values from the lookup.</P> Thu, 15 Nov 2018 15:48:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393588#M114451 ndaniel88 2018-11-15T15:48:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393589#M114452 <P>hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/148120">@ndaniel88</a> </P> <P>try liek this <BR /> | inputlookup my_names.csv | fields Name | rename Name as names <BR /> |append [search index=my_index sourcetype=my_st names=* | fields number names]<BR /> | reverse |dedup name |sort name |fillnull value="Not Found" number</P> Tue, 29 Sep 2020 22:04:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-perform-a-search-based-on-lookup-values/m-p/393589#M114452 harishalipaka 2020-09-29T22:04:09Z