https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530826#M149949 <P>The <FONT face="courier new,courier">append</FONT> command adds rows to your output rather than columns (that would be <FONT face="courier new,courier">appendcols</FONT>, but don't use that here).&nbsp; Appended rows often need to be combined with earlier rows.&nbsp; We can use <FONT face="courier new,courier">stats</FONT> to do that.</P><P>The <FONT face="courier new,courier">eval</FONT> command only looks at a single event so anything it compares must be in that one event.&nbsp; In the example, only events containing both a user and a sAMAccountName field (which should be none of them) will have "MATCH".</P><LI-CODE lang="markup">| ldapsearch domain="default" search="(&amp;(objectClass=user))" attrs="sAMAccountName, distinguishedName" | rename sAMAccountName as user | append [| inputlookup account_status_tracker | fields Latest, user] | stats values(*) as * by user ```Now the ldapsearch output is matched up with the inputlookup``` ```Any row without a distinguishedName field didn't have an entry in ``` ```ldapsearch so we can drop it.``` | where isnotnull(distinguishedName) ```Replace the table command with outputlookup to save the results in the lookup file``` | table Latest user</LI-CODE> Wed, 25 Nov 2020 14:07:13 GMT richgalloway 2020-11-25T14:07:13Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530816#M149948 <P>Hi all,</P><P>I have been trying to use a search in order to compare two results. One is my lookup and one with an ldapsearch. I am trying to only keep the records of users who are actually still in the AD.</P><P>So my lookup contains the usernames and latest login time and my ldapsearch obviously has the updated list of every account still in the AD.&nbsp;</P><P>My goal is to crosscheck if there are rows in the lookup that could be delete which is the goal of my query. So far I have the following but I am unable to append the lookup file. Can anyone help me achieve my goal? Tell me if this is the best way to do it and otherwise help me? If it this the best way can you correct my search?&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| ldapsearch domain="default" search="(&amp;(objectClass=user))" attrs="sAMAccountName, distinguishedName" | append [| inputlookup account_status_tracker | fields Latest, user] | eval match = if(user==sAMAccountName, "MATCH", "NOMATCH") | table _time sAMAccountName Latest user match</LI-CODE><P>&nbsp;</P><P>&nbsp;The table displays the values related to the ldapsearch but not the ones of the lookup file.&nbsp;</P><P>Thanks anyway,</P><P>Sasquatchatmars</P> Wed, 25 Nov 2020 13:49:47 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530816#M149948 Sasquatchatmars 2020-11-25T13:49:47Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530826#M149949 <P>The <FONT face="courier new,courier">append</FONT> command adds rows to your output rather than columns (that would be <FONT face="courier new,courier">appendcols</FONT>, but don't use that here).&nbsp; Appended rows often need to be combined with earlier rows.&nbsp; We can use <FONT face="courier new,courier">stats</FONT> to do that.</P><P>The <FONT face="courier new,courier">eval</FONT> command only looks at a single event so anything it compares must be in that one event.&nbsp; In the example, only events containing both a user and a sAMAccountName field (which should be none of them) will have "MATCH".</P><LI-CODE lang="markup">| ldapsearch domain="default" search="(&amp;(objectClass=user))" attrs="sAMAccountName, distinguishedName" | rename sAMAccountName as user | append [| inputlookup account_status_tracker | fields Latest, user] | stats values(*) as * by user ```Now the ldapsearch output is matched up with the inputlookup``` ```Any row without a distinguishedName field didn't have an entry in ``` ```ldapsearch so we can drop it.``` | where isnotnull(distinguishedName) ```Replace the table command with outputlookup to save the results in the lookup file``` | table Latest user</LI-CODE> Wed, 25 Nov 2020 14:07:13 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530826#M149949 richgalloway 2020-11-25T14:07:13Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530828#M149950 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;,</P><P>This worked like a charm, thank you very much!&nbsp;</P><P>Sasquatchatmars</P> Wed, 25 Nov 2020 14:11:57 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-command-not-working/m-p/530828#M149950 Sasquatchatmars 2020-11-25T14:11:57Z