https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554442#M157378 <P>Hello All</P><P>"Good Day"</P><P>index="aedc"<BR />| rex field=source "-_(?&lt;source&gt;\S+)"<BR />| rex "(?&lt;ModuleID&gt;MY\d+)"<BR />| rex "(?&lt;Path&gt;/F.\s\S+\s\S+\s\S+\s\S+\s\S{5})"<BR />|search"source"="*" MY22 "CRS_ASIL"="*" *<BR />|rename "TC_D2_Test Result" as Result, TC_D2_Execution_date as verified_Date,"CRS__TestType" as TestType<BR />| rename CRS__implementation_phase as CRS_IP, "TC_Test Result" as result<BR />| eval verified_Date=if((verified_Date == "Attr not found : D2_Execution_date"),null(),verified_Date)<BR />|eval Date=strptime(verified_Date, "%a %d %B %Y %H:%M:%S")|eval date=if(Date&gt;1604600000.000000 OR Date&gt;1602000000.000000,Date,0)<BR />| eval First_Date=verified_Date, sortstring="~"<BR />|eval date=if(Date&gt;1604600000.000000 OR Date&gt;1602000000.000000 ,Date,0)<BR />| append<BR /><STRONG><FONT color="#003300">[|inputlookup DoorsMappingwithDatenopartial.csv |append[| inputlookup DoorsMappingNoDate.csv</FONT></STRONG><BR /><STRONG><FONT color="#003300">|where bPartialResultsEnabled="FALSE"]]</FONT></STRONG><BR />| stats count(eval(Path="/F. System Testing/System Functional Test Cases")) as "Functional Total",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND<SPAN>&nbsp;</SPAN><STRONG>date=Date</STRONG><SPAN>&nbsp;</SPAN>,Result))) as "Functional Test Conducted",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND Result="Pass" OR Result="PASS" AND date=Date,Result))) as "Functional Pass",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases"AND Result="Fail" OR Result="FAIL" AND date=Date,Result))) as "Functional Fail" by "CRS_Customer Requirement Identifier"<BR />|eventstats sum("Functional Total") as Functional_Total,sum("Functional Test Conducted") as "Functional Test Conducted",sum("Functional Pass") as "Functional Pass",sum("Functional Fail") as "Functional Fail"|table Functional_Total,"Functional Test Conducted","Functional Pass","Functional Fail"<BR /><BR />Above is my query in the query i am trying to add condition using lookup files&nbsp;<BR />Condition is if&nbsp;<STRONG><FONT color="#003300">bPartialResultsEnabled is False</FONT></STRONG><FONT color="#003300"><SPAN>&nbsp;</SPAN>we should consider</FONT><FONT color="#003300"><STRONG><SPAN>&nbsp;</SPAN>date</STRONG><SPAN>&nbsp;</SPAN>in functional count if it is<SPAN>&nbsp;</SPAN><STRONG>true</STRONG><SPAN>&nbsp;</SPAN>we should not consider<SPAN>&nbsp;</SPAN><STRONG>date</STRONG></FONT></P><P><FONT color="#003300">I tried all possible ways ,I know</FONT></P><P><FONT color="#003300">Please help me out..<BR /><BR /></FONT></P><P><FONT color="#003300">Thank you in advance</FONT></P> Fri, 04 Jun 2021 08:53:31 GMT renuka 2021-06-04T08:53:31Z https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554442#M157378 <P>Hello All</P><P>"Good Day"</P><P>index="aedc"<BR />| rex field=source "-_(?&lt;source&gt;\S+)"<BR />| rex "(?&lt;ModuleID&gt;MY\d+)"<BR />| rex "(?&lt;Path&gt;/F.\s\S+\s\S+\s\S+\s\S+\s\S{5})"<BR />|search"source"="*" MY22 "CRS_ASIL"="*" *<BR />|rename "TC_D2_Test Result" as Result, TC_D2_Execution_date as verified_Date,"CRS__TestType" as TestType<BR />| rename CRS__implementation_phase as CRS_IP, "TC_Test Result" as result<BR />| eval verified_Date=if((verified_Date == "Attr not found : D2_Execution_date"),null(),verified_Date)<BR />|eval Date=strptime(verified_Date, "%a %d %B %Y %H:%M:%S")|eval date=if(Date&gt;1604600000.000000 OR Date&gt;1602000000.000000,Date,0)<BR />| eval First_Date=verified_Date, sortstring="~"<BR />|eval date=if(Date&gt;1604600000.000000 OR Date&gt;1602000000.000000 ,Date,0)<BR />| append<BR /><STRONG><FONT color="#003300">[|inputlookup DoorsMappingwithDatenopartial.csv |append[| inputlookup DoorsMappingNoDate.csv</FONT></STRONG><BR /><STRONG><FONT color="#003300">|where bPartialResultsEnabled="FALSE"]]</FONT></STRONG><BR />| stats count(eval(Path="/F. System Testing/System Functional Test Cases")) as "Functional Total",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND<SPAN>&nbsp;</SPAN><STRONG>date=Date</STRONG><SPAN>&nbsp;</SPAN>,Result))) as "Functional Test Conducted",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND Result="Pass" OR Result="PASS" AND date=Date,Result))) as "Functional Pass",count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases"AND Result="Fail" OR Result="FAIL" AND date=Date,Result))) as "Functional Fail" by "CRS_Customer Requirement Identifier"<BR />|eventstats sum("Functional Total") as Functional_Total,sum("Functional Test Conducted") as "Functional Test Conducted",sum("Functional Pass") as "Functional Pass",sum("Functional Fail") as "Functional Fail"|table Functional_Total,"Functional Test Conducted","Functional Pass","Functional Fail"<BR /><BR />Above is my query in the query i am trying to add condition using lookup files&nbsp;<BR />Condition is if&nbsp;<STRONG><FONT color="#003300">bPartialResultsEnabled is False</FONT></STRONG><FONT color="#003300"><SPAN>&nbsp;</SPAN>we should consider</FONT><FONT color="#003300"><STRONG><SPAN>&nbsp;</SPAN>date</STRONG><SPAN>&nbsp;</SPAN>in functional count if it is<SPAN>&nbsp;</SPAN><STRONG>true</STRONG><SPAN>&nbsp;</SPAN>we should not consider<SPAN>&nbsp;</SPAN><STRONG>date</STRONG></FONT></P><P><FONT color="#003300">I tried all possible ways ,I know</FONT></P><P><FONT color="#003300">Please help me out..<BR /><BR /></FONT></P><P><FONT color="#003300">Thank you in advance</FONT></P> Fri, 04 Jun 2021 08:53:31 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554442#M157378 renuka 2021-06-04T08:53:31Z https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554453#M157384 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224369">@renuka</a>&nbsp;</P><P>Here you have to use some trick. Please check below search. &nbsp;</P><P>In this search I have created a field name 'flag' with required conditions and same flag will be used in stats.</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_FIRST_SEARCH | eval flag = case(bPartialResultsEnabled=="False" AND date=Date,"True", bPartialResultsEnabled=="True","True",1=1,"False") | stats count(eval(Result=case(Path="/F. System Testing/System Functional Test Cases" AND flag="True" ,Result))) as "Functional Test Conducted" YOUR_REST_SEARCH</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Fri, 04 Jun 2021 09:41:20 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554453#M157384 kamlesh_vaghela 2021-06-04T09:41:20Z https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554462#M157387 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a>&nbsp;<BR /><BR />Thank you reply<BR />&nbsp;But I couldn't extract inputlookup data into prevvious search query can you please ellaborate in detail<BR />that would help me<BR /><BR />Thank you in advance<BR />"Happy Splunking"</P> Fri, 04 Jun 2021 10:16:06 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554462#M157387 renuka 2021-06-04T10:16:06Z https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554466#M157388 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224369">@renuka</a>&nbsp;</P><P>Please try this search.</P><P>&nbsp;</P><LI-CODE lang="markup">YOUR_SEARCH | eval flag = case(bPartialResultsEnabled=="False" AND date=Date,"True", bPartialResultsEnabled=="True","True",1=1,"False") | stats count(eval(Path=="/F. System Testing/System Functional Test Cases" AND flag="True")) as "Functional Test Conducted" REST_OF_THE_SEARCH</LI-CODE><P>&nbsp;</P><P><STRONG>Explanation:</STRONG>&nbsp;</P><LI-CODE lang="markup">| eval flag = case(bPartialResultsEnabled=="False" AND date=Date,"True", bPartialResultsEnabled=="True","True",1=1,"False")</LI-CODE><P>&nbsp;</P><P>This flag variable will identify whether particular event should be consider or not for count in stats command.</P><P><SPAN>Condition is if&nbsp;</SPAN><STRONG><FONT color="#003300">bPartialResultsEnabled is False</FONT></STRONG><FONT color="#003300"><SPAN>&nbsp;</SPAN>we should consider</FONT><FONT color="#003300"><STRONG><SPAN>&nbsp;</SPAN>date</STRONG><SPAN>&nbsp;</SPAN>in functional count if it is<SPAN>&nbsp;</SPAN><STRONG>true</STRONG><SPAN>&nbsp;</SPAN>we should not consider<SPAN>&nbsp;</SPAN><STRONG>date</STRONG></FONT></P><P>As per our logic, <STRONG>date=Date</STRONG> should only consider when <STRONG>bPartialResultsEnabled="False"</STRONG> else <STRONG>bPartialResultsEnabled=True </STRONG></P><P>So event should be consider when one of this 2 condition matched.</P><P>&nbsp;And in our case&nbsp;flag is doing same.</P><LI-CODE lang="markup">| stats count(eval(Path=="/F. System Testing/System Functional Test Cases" AND flag="True")) as "Functional Test Conducted"</LI-CODE><P>&nbsp;</P><P>I have changed in <STRONG>eval</STRONG>&nbsp;so you can try that also.</P><P>&nbsp;Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Fri, 04 Jun 2021 11:34:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-to-add-the-input-lookup-file-in-the-search/m-p/554466#M157388 kamlesh_vaghela 2021-06-04T11:34:07Z