https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540251#M152822 <P>Is there a way to use "foreach" to add the flag and append?</P> Wed, 17 Feb 2021 14:05:45 GMT Glasses 2021-02-17T14:05:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540141#M152783 <P>Lets say I have 3 lookups &gt;&gt;&gt; a-list.csv, b-list.csv, c-list.csv and the lists only have 1 column header = Name<BR />Alice is on a-list<BR />Bob is on b-list<BR />Charles is on c-list</P><P>There are lots of people on each list and the lists are dynamic and updated.<BR />I have a request to create a Combined_Master Lookup (where C_M-list.csv = a-list.csv + b-list.csv + c-list.csv),<BR />where the list contains NAME, FLAG fields such as</P><P>NAME,FLAG</P><P>Alice, a-list<BR />Bob, b-list<BR />Charles, c-list</P><P>So far I use the following query to build the C_M-list.csv, where there is a Name and Flag appended to each name (which indicate which list the person is from)<BR />BUT I am wondering if there is a better way...</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup a-list.csv | eval FLAG = "a-list" | inputlookup b-list.csv append=true | eval FLAG = coalesce(FLAG, "b-list") | inputlookup c-list.csv append=true | eval FLAG = coalesce(FLAG, "c-list") |.... &lt;rest of the query follows&gt;....</LI-CODE><P>&nbsp;</P><P>My desired outcome is a M_C-list.csv</P><P>Alice,a-list</P><P>Bob,b-list</P><P>Charles,c-list</P><P>Any suggestions or improvements appreciated.<BR />TY!</P> Tue, 16 Feb 2021 19:03:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540141#M152783 Glasses 2021-02-16T19:03:43Z https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540251#M152822 <P>Is there a way to use "foreach" to add the flag and append?</P> Wed, 17 Feb 2021 14:05:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540251#M152822 Glasses 2021-02-17T14:05:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540267#M152829 <P>Greetings&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/138497">@Glasses</a>,</P><P>Try this:</P><LI-CODE lang="markup"> | inputlookup a-list.csv | eval FLAG = "a-list" | append [ | inputlookup b-list.csv | eval FLAG = "b-list" ] | append [ | inputlookup c-list.csv | eval FLAG = "c-list" ]</LI-CODE> Wed, 17 Feb 2021 15:23:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540267#M152829 jacobpevans 2021-02-17T15:23:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540268#M152830 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/182087">@jacobpevans</a>&nbsp;NICE!!!</P><P>I tried something similar with subsearches and failed... but this seems like they way to go.</P><P>Thank you!</P> Wed, 17 Feb 2021 15:38:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-combine-multiple-lookups-into-one-lookup/m-p/540268#M152830 Glasses 2021-02-17T15:38:12Z