https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/506915#M141796 <P>Hello all,</P><P>Looking for some help integrating a lookup table into my failed login search. What I am trying to achieve is to look for any events matching the base search I have below using each of the account name variations in the table. Any help is much appreciated.&nbsp;</P><P>base search: index=wineventlog OR index=h_wineventlog EventCode=4625 user=(LL,CL,TL would go here) | stats count by user</P><P>example of table below :&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tkerr357_0-1593623557125.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9419iF4830F3BB03D74E8/image-size/medium?v=v2&amp;px=400" role="button" title="tkerr357_0-1593623557125.png" alt="tkerr357_0-1593623557125.png" /></span></P><P>&nbsp;</P> Wed, 01 Jul 2020 17:29:55 GMT tkerr357 2020-07-01T17:29:55Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/506915#M141796 <P>Hello all,</P><P>Looking for some help integrating a lookup table into my failed login search. What I am trying to achieve is to look for any events matching the base search I have below using each of the account name variations in the table. Any help is much appreciated.&nbsp;</P><P>base search: index=wineventlog OR index=h_wineventlog EventCode=4625 user=(LL,CL,TL would go here) | stats count by user</P><P>example of table below :&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tkerr357_0-1593623557125.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/9419iF4830F3BB03D74E8/image-size/medium?v=v2&amp;px=400" role="button" title="tkerr357_0-1593623557125.png" alt="tkerr357_0-1593623557125.png" /></span></P><P>&nbsp;</P> Wed, 01 Jul 2020 17:29:55 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/506915#M141796 tkerr357 2020-07-01T17:29:55Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/507139#M141829 <P>Look a inputlookup&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Inputlookup" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Inputlookup</A></P><P>You will want to match with your base search and perform logic on the fields returned from the lookup and base.</P><P>&nbsp;</P><P>HTH</P><P>&nbsp;</P><P>Chris</P> Thu, 02 Jul 2020 19:32:37 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/507139#M141829 chrisboy68 2020-07-02T19:32:37Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/507823#M141956 <P>sorry I have read through the documentation but can you provide a brief example of what you mean?&nbsp;</P> Tue, 07 Jul 2020 12:45:37 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-help/m-p/507823#M141956 tkerr357 2020-07-07T12:45:37Z