https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427429#M122392 <P>Figured out the issue in that the username was in call caps so whenever I would try to call another field like LastName, FirstName, or Role no results were returned, but calling just the user field would return the user.</P> <P>Thx</P> Fri, 19 Oct 2018 14:55:03 GMT jwalzerpitt 2018-10-19T14:55:03Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427417#M122380 <P>I have the following search in which I match up the user field from the lookup to the index, getting the top return of only the admin accounts:</P> <PRE><CODE>index=foo [| inputlookup admin_accts | fields user ] | stats count by user | sort -count </CODE></PRE> <P>The lookup admin_accts also has three other fields - "Last Name", "First Name", and "Role". </P> <P>How do I modify the search so that those three additional fields are listed in the results?</P> <P>Thx</P> Tue, 16 Oct 2018 12:44:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427417#M122380 jwalzerpitt 2018-10-16T12:44:51Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427418#M122381 <P>@jwalzerpitt,</P> <P>Try ,</P> <PRE><CODE>index=foo|stats count by user | lookup admin_accts user OUTPUT "Last Name", "First Name", "Role" |where Role!="" </CODE></PRE> <P>This should avoid your sub-search with the inputlookup. Compare the results and also the performane</P> Tue, 16 Oct 2018 13:43:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427418#M122381 renjith_nair 2018-10-16T13:43:28Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427419#M122382 <P>Or...</P> <PRE><CODE> index=foo [| inputlookup admin_accts | fields user ] | stats count by user | lookup admin_accts user OUTPUT "Last Name", "First Name", "Role" | sort -count </CODE></PRE> Tue, 16 Oct 2018 13:59:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427419#M122382 DalJeanis 2018-10-16T13:59:27Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427420#M122383 <P>Thx for the reply</P> <P>If I try the search above, it doesn't match on the users in the lookup file. For example, using my original search, six users are returned. Using your suggested search, I get no results at all.</P> <P>Thx</P> Tue, 16 Oct 2018 14:03:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427420#M122383 jwalzerpitt 2018-10-16T14:03:45Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427421#M122384 <P>Dal,</P> <P>Using your suggested search, I see the six users, but the other fields returned are blank. For the heck of it, I removed the space between the two fields first name and last name (now they're Lastname and FirstName) to see if that made a difference, but still, the same result with the users returned, but the three other fields blank.</P> <P>Thx</P> Tue, 16 Oct 2018 14:07:16 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427421#M122384 jwalzerpitt 2018-10-16T14:07:16Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427422#M122385 <P>Also, I did an<CODE>| inputlookup admin_accts</CODE> and the table is returned with the columns FirstName LastName, Role, and user to verify the lookup table</P> Tue, 16 Oct 2018 14:11:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427422#M122385 jwalzerpitt 2018-10-16T14:11:21Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427423#M122386 <P>are you getting result for <CODE>index=foo|stats count by user</CODE> ? If yes, then are the field name in search and lookup same - <CODE>user</CODE> ? </P> Tue, 16 Oct 2018 14:16:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427423#M122386 renjith_nair 2018-10-16T14:16:05Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427424#M122387 <P>I am - the field for the index is "user" and the field in the lookup is "user"</P> <P>With my search, the results returned filters on only the users in the lookup</P> Tue, 16 Oct 2018 14:18:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427424#M122387 jwalzerpitt 2018-10-16T14:18:58Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427425#M122388 <P>Since the lookup is not working in both suggestions , we shall re-look at the lookup definitions. Just to test, can you try this</P> <PRE><CODE>|makeresults|eval user="give here one of your admin username"|lookup admin_accts user OUTPUT "Last Name", "First Name", "Role" </CODE></PRE> <P>If we are not getting the result for this, then we might have a problem in lookup definition</P> Wed, 17 Oct 2018 03:13:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427425#M122388 renjith_nair 2018-10-17T03:13:02Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427426#M122389 <P>A user is returned, but no values for the LastName, FirstName, and Role</P> <P>Thx </P> Wed, 17 Oct 2018 12:38:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427426#M122389 jwalzerpitt 2018-10-17T12:38:58Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427427#M122390 <P>That tells us that there might be a problem in lookup because we just did a simple lookup. Could there be a space in user value in lookup or any other special character? Try creating a simple csv file with one or two records from the original lookup file and upload it as .csv and repeat the above sample search against that file.csv. Once you are able to get that lookup fixed, the original search provided should work.</P> Wed, 17 Oct 2018 14:32:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427427#M122390 renjith_nair 2018-10-17T14:32:43Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427428#M122391 <P>@jwalzerpitt - the output fields should be spelled and capitalized exactly as they are on the lookup file. </P> <PRE><CODE> | lookup admin_accts user OUTPUT LastName FirstName Role </CODE></PRE> Fri, 19 Oct 2018 14:51:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427428#M122391 DalJeanis 2018-10-19T14:51:33Z https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427429#M122392 <P>Figured out the issue in that the username was in call caps so whenever I would try to call another field like LastName, FirstName, or Role no results were returned, but calling just the user field would return the user.</P> <P>Thx</P> Fri, 19 Oct 2018 14:55:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-include-additional-fields-from-an-inputlookup-in/m-p/427429#M122392 jwalzerpitt 2018-10-19T14:55:03Z