https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534749#M151114 <P>lookup command takes as many conditions as needed</P><LI-CODE lang="markup">| lookup lookup_file id environment</LI-CODE><P>that means you have to provide environment as a constraint to the lookup - is that what you mean?</P><P>you example indicates you are trying to determine if the id is test or prod, but if it returns both, is that not a valid response? What are you intending to do with the answer to the lookup?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 05 Jan 2021 04:12:08 GMT bowesmana 2021-01-05T04:12:08Z https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534710#M151105 <P>Hi,</P><P>iam stuck with a problem where i need help from you guys. I have a search that runs IDs against a lookup to determine if that ID is from Production or Test Environment. Problem is: some IDs are double, means they exist in Prod and in Test. So when I search and hit one of those IDs they count against Prod and against Test. So i wanted to filter for two conditions that must be met - First would be the specific ID and second would be the environment. I cant get that to work, is there any way to select two conditions that must be met before the lookup give back an result?</P><P>I appreciate any feedback <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 04 Jan 2021 15:18:36 GMT https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534710#M151105 DanielAmlung 2021-01-04T15:18:36Z https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534749#M151114 <P>lookup command takes as many conditions as needed</P><LI-CODE lang="markup">| lookup lookup_file id environment</LI-CODE><P>that means you have to provide environment as a constraint to the lookup - is that what you mean?</P><P>you example indicates you are trying to determine if the id is test or prod, but if it returns both, is that not a valid response? What are you intending to do with the answer to the lookup?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 05 Jan 2021 04:12:08 GMT https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534749#M151114 bowesmana 2021-01-05T04:12:08Z https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534759#M151119 <P>&nbsp;</P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>Hi, thats what i tried. But then i get a multi value field "environment" back which contains both prod and test. I could split that into two fields, but in the summary its wrong because than i have 6 prod events insted of 3.</P><P>Idea behind this is: we have a system that calls for specific functions. Every call is tied to an ID, but since they also test the system it can happen that this id is valid both in prod and test. So when i create a search that queries only for calls from a specific id within the prod environment, i get douple results.&nbsp; Because the id is both found in prod and test. So i wanted to filter for two conditions first one would be the id and second one would be the environment. But that need to happen within the lookup statement and not after wards.</P><P>&nbsp;</P><P><U>Example search with mvexpand:</U></P><P>index=XX&nbsp; sourcetype=iis</P><P>NOT cs_User_Agent=performanceTester cs_uri_stem="*datapoints*values/*"&nbsp;</P><P>| search XXid=XX475&nbsp;</P><P>| lookup local=true lkp_XX_ids_kv XXId AS xx_id&nbsp; OUTPUTNEW SourceSystemName as source_system Environment</P><P>| mvexpand Environment</P><P>|search Prod</P></DIV></DIV> Tue, 05 Jan 2021 07:48:57 GMT https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/534759#M151119 DanielAmlung 2021-01-05T07:48:57Z https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/537605#M152000 <P>Fixed it</P><P>&nbsp;</P><P>/close</P> Thu, 28 Jan 2021 12:00:13 GMT https://community.splunk.com/t5/Splunk-Search/Two-conditions-for-Lookup/m-p/537605#M152000 DanielAmlung 2021-01-28T12:00:13Z