https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65710#M16306 <P>I have a similar issue however I'm using a dnslookup. I've tried a few variations however, i can't seem to get the dnslookup result to appear on the table. </P> <PRE><CODE>index=xxx sourcetype="WinEventLog:Security" "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc= mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | dnslookup forward ComputerName Client_Address | table account_domain account_name ComputerName Caller_Computer_Name Client_Address </CODE></PRE> <P>In the above example, the "Client_Address" field is ooming up blank. Any ideas? thanks in advance!</P> Thu, 21 Aug 2014 22:44:30 GMT sadkha 2014-08-21T22:44:30Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65706#M16302 <P>Currently i am populating my summary index with a list of malware listed ips with</P> <PRE><CODE>index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup | rename watch_ip as clientip | fields + clientip ] | dedup clientip | lookup ga ip as clientip | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other </CODE></PRE> <P>the inputlookup watchlist_ip_lookup.csv file has two columns, the watch_type is optional as sometimes it's blank</P> <PRE><CODE> watch_ip, watch_type 2.187.19.0, C2 49.244.116.184, 46.63.167.216, C2 .... etc </CODE></PRE> <P>How would i include the watch_type field in all the results for my summary index?</P> Mon, 28 Sep 2020 12:28:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65706#M16302 sonicZ 2020-09-28T12:28:55Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65707#M16303 <P>Will this work?</P> <PRE><CODE>index=blah OR index=blah2 OR index=blah3 NOT uri="/dot_clear.gif" [ | inputlookup watchlist_ip_lookup | rename watch_ip as clientip | fields + clientip ] | dedup clientip | lookup ga ip as clientip | lookup watchlist_ip_lookup watch_ip as clientip OUTPUT watch_type | table date_month, date_mday, date_hour, date_minute, date_year, clientip, country, org, status, referer, uri, host, source, sourcetype, index, other, watch_type </CODE></PRE> Thu, 20 Sep 2012 05:07:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65707#M16303 lguinn2 2012-09-20T05:07:57Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65708#M16304 <P>Awesome thanks Lisa, that outer lookup was the trick. Its pulling up the extra field from the lookup now.</P> Thu, 20 Sep 2012 16:05:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65708#M16304 sonicZ 2012-09-20T16:05:04Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65709#M16305 <P>I was looking for a similar output and the above search worked. Thanks.</P> Tue, 06 May 2014 10:49:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65709#M16305 santhosh2kece 2014-05-06T10:49:59Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65710#M16306 <P>I have a similar issue however I'm using a dnslookup. I've tried a few variations however, i can't seem to get the dnslookup result to appear on the table. </P> <PRE><CODE>index=xxx sourcetype="WinEventLog:Security" "EventCode=644" OR "EventCode=4740" | eval Win2K8_acc= mvindex(Account_Name,1) | eval "Locked_Account"=coalesce(Win2K8_acc,Target_Account_Name) | dnslookup forward ComputerName Client_Address | table account_domain account_name ComputerName Caller_Computer_Name Client_Address </CODE></PRE> <P>In the above example, the "Client_Address" field is ooming up blank. Any ideas? thanks in advance!</P> Thu, 21 Aug 2014 22:44:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65710#M16306 sadkha 2014-08-21T22:44:30Z https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65711#M16307 <P>@sadkha - the syntax is wrong for your lookup in the fourth line. Here is a link to the <A href="http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup">lookup command</A>. So I think that what you want might be:</P> <PRE><CODE> | lookup dnslookup clientip as Client_Address OUTPUT clienthost as ComputerName </CODE></PRE> <P>But I am not sure that I know what your field names are...</P> Tue, 04 Oct 2016 01:53:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-include-additional-field-from-inputlookup-in-results/m-p/65711#M16307 lguinn2 2016-10-04T01:53:35Z