https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414042#M119298 <P>Recall that subsearches run before the main search. Therefore, <CODE>|inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port</CODE> must return results. Since there is no 'src' field, the query will not return any results. Try the following variation:</P> <PRE><CODE>index=fw OR index=waf | lookup mal_ip as src | fields category,mal_ip |stats count by src category </CODE></PRE> Wed, 12 Jun 2019 13:47:54 GMT richgalloway 2019-06-12T13:47:54Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414041#M119297 <P>I have 2 devices: fw and waf. I want to make a lookup, my lookup file is mal_ip that has 4 fields :</P> <PRE><CODE>mal_ip category product,port 1.1.1.1 mal_ip firewall 443 </CODE></PRE> <P>I want to say where src=mal_ip show category, the Common field is product and port. <BR /> My query is :</P> <PRE><CODE>index=fw OR index=waf [ |inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port]|stats count by src category </CODE></PRE> <P>But it doesn't match any fields, can you tell me what can I do?</P> Wed, 12 Jun 2019 07:49:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414041#M119297 badoomi 2019-06-12T07:49:07Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414042#M119298 <P>Recall that subsearches run before the main search. Therefore, <CODE>|inputlookup mal_ip | where src=mal_ip| fields category,mal_ip,product,port</CODE> must return results. Since there is no 'src' field, the query will not return any results. Try the following variation:</P> <PRE><CODE>index=fw OR index=waf | lookup mal_ip as src | fields category,mal_ip |stats count by src category </CODE></PRE> Wed, 12 Jun 2019 13:47:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414042#M119298 richgalloway 2019-06-12T13:47:54Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414043#M119299 <P>Hi Badoomi,</P> <P>You're using the lookup in the wrong way to achieve your results. <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> is <EM>almost</EM> right in his answer:</P> <PRE>index=fw OR index=waf | lookup mal_ip mal_ip as src OUTPUT category product port | stats count by src category</PRE> <P>However, if you want to match more than src, and you need to check the product and the port as well it would be written as follows:</P> <P><PRE>index=fw OR index=waf<BR /> | lookup mal_ip mal_ip as src product as product port as port OUTPUT category<BR /> | stats count by src category</PRE></P> <P>This will match against src, product, and port. But product and port have to be extracted/defined before using the <CODE>| lookup</CODE> in that search.</P> Wed, 30 Sep 2020 00:51:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414043#M119299 jnudell_2 2020-09-30T00:51:28Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414044#M119300 <P>it doesn't work and show me this error:<BR /> Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.</P> Sat, 15 Jun 2019 05:31:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414044#M119300 badoomi 2019-06-15T05:31:16Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414045#M119301 <P>it doesnt work, i want to compare src from my firewall and waf with mal_ip in my lookup file</P> Sat, 15 Jun 2019 05:35:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414045#M119301 badoomi 2019-06-15T05:35:10Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414046#M119302 <P>You'll need to make sure that both the lookup table (CSV file) AND the definition are created.</P> <P>Please refer to this:<BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/Knowledge/LookupexampleinSplunkWeb">https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/Knowledge/LookupexampleinSplunkWeb</A></P> Sat, 15 Jun 2019 12:46:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414046#M119302 jnudell_2 2019-06-15T12:46:31Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414047#M119303 <P>Make sure the fw and waf indexes are returning events with a field called 'src'. If not, add <CODE>rename</CODE> or <CODE>eval</CODE> statements to create such a field.</P> Mon, 17 Jun 2019 12:25:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414047#M119303 richgalloway 2019-06-17T12:25:32Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414048#M119304 <P>This assumes that your <CODE>lookup file</CODE> is referenced by a <CODE>lookup definition</CODE> called <CODE>mal_ip</CODE> (if not, replace the first <CODE>mal_ip</CODE> value with the correct <CODE>lookup definition</CODE> or <CODE>lookup file</CODE><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>index=fw OR index=waf | lookup mal_ip mal_ip AS src product port OUTPUT category </CODE></PRE> Mon, 17 Jun 2019 21:26:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-search-for-matching-2-fields/m-p/414048#M119304 woodcock 2019-06-17T21:26:29Z