https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317946#M166232 <P>On top of my mind, you can run a search for all indexes of the lookup table and display final result like this:-</P> <PRE><CODE>[|inputlookup mylookuptable.csv | table Indexname | rename Indexname as index] | your search to generate required statistics, make sure to include field 'index' | table index anyotherfield </CODE></PRE> <P>You can get better suggestions if you could share your actual query.</P> Tue, 05 Sep 2017 15:53:20 GMT somesoni2 2017-09-05T15:53:20Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317945#M166231 <P>Hi <BR /> I have a lookup table with the field (indexname). I want to use each lookup table field (indexname) values as a input to index in the search query.<BR /> so each time , query should pick one value from lookup table sequentially and execute search and display results as new column in same lookup table.</P> <P>For example:</P> <P>mylookuptable.csv</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3452iE8DB5825EF0B2CB8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>result as :<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3453i590C41B3ACC5BADD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>please, help me to derive query for this.</P> <P>Thanks<BR /> Mala S</P> Tue, 05 Sep 2017 15:23:02 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317945#M166231 mala_splunk_91 2017-09-05T15:23:02Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317946#M166232 <P>On top of my mind, you can run a search for all indexes of the lookup table and display final result like this:-</P> <PRE><CODE>[|inputlookup mylookuptable.csv | table Indexname | rename Indexname as index] | your search to generate required statistics, make sure to include field 'index' | table index anyotherfield </CODE></PRE> <P>You can get better suggestions if you could share your actual query.</P> Tue, 05 Sep 2017 15:53:20 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317946#M166232 somesoni2 2017-09-05T15:53:20Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317947#M166233 <P>So I have a working example of this</P> <P>The PegaVerbose.csv looks like this</P> <P>PegaAlertNumber PegaAlertV PegaLevel<BR /> PEGA0001 PEGA0001-HTTP interaction time exceeds limit Medium<BR /> PEGA0002 PEGA0002-Commit operation time exceeds limit High<BR /> PEGA0003 PEGA0003-Rollback operation time exceeds limit Medium<BR /> PEGA0004 PEGA0004-Quantity of data received by database query exceeds limit High<BR /> PEGA0005 PEGA0005-Query time exceeds limit Medium</P> <P>And the search I use is</P> <P>index=application sourcetype=Pega:Prod (PegaAlert=*) |lookup PegaVerbose.csv PegaAlertNumber as PegaAlert OUTPUT PegaAlertNumber PegaAlertV PegaLevel </P> <P>It matches up an event in the actual indexed data (the field named PegaAlert) with PegaAlertNumber in the csv, and then adds two new fields PegaAlertV PegaLevel that are available then for whatever you want. </P> <P>We also use this app for editing lookup files.<BR /> <A href="https://splunkbase.splunk.com/app/1724/">https://splunkbase.splunk.com/app/1724/</A></P> <P>Good luck.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3451i91A41AEBDFAD5A1D/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 05 Sep 2017 18:16:21 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317947#M166233 JDukeSplunk 2017-09-05T18:16:21Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317948#M166234 <P>It is generally not a good idea in Splunk to think in terms of "sequentially" doing anything. Usually you can code a search so that all the searching happens at the same time, or in exactly two phases, rather than one search per input record. </P> <P>Let's suppose that you have a file which has the index name and a value for another field, fieldA. In that situation, doing this...</P> <PRE><CODE>| inputcsv myindexandfieldA.csv | table Indexname fieldA | rename Indexname as index | format </CODE></PRE> <P>... creates a single field called "search" that contains this...</P> <PRE><CODE>( ( index="index1" AND fieldA="value1" ) OR ( index="index2" AND fieldA="value2" ) OR .... ) </CODE></PRE> <P>If you include that all within square braces at the beginning of your search, then it will bring back all the relevant records for processing. (note - the word "format" is optional if the rest of the code is inside of square braces.</P> <PRE><CODE> [| inputcsv myindexandfieldA.csv | table Indexname fieldA | rename Indexname as index | format] | stats sum(someotherfield) as manipulatedresult by index fieldA | table index fieldA manipulatedresult </CODE></PRE> Tue, 05 Sep 2017 18:28:49 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317948#M166234 DalJeanis 2017-09-05T18:28:49Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317949#M166235 <P>Here is my query, I need to check TrafficStatus for each Application. When i execute this query am not getting expected result.</P> <P>[|inputlookup mylookuptable.csv | table Application| rename Application as index1] |search index=$index1$ host=XXXX* | stats count as RR| eval TrafficStatus=if(RR&gt;1000,"X1","X2")|table index1 TrafficStatus</P> <P>Help on this!!</P> Wed, 06 Sep 2017 08:33:38 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317949#M166235 mala_splunk_91 2017-09-06T08:33:38Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317950#M166236 <P>Thanks for suggestion. <BR /> Here is my query. But I'm not able to get result.</P> <P>[|inputlookup mylookuptable.csv | table Application Normal_Traffic_status| rename Application as index format]|search host=xxx* |stats count as RR by index|eval TrafficStatus=if(RR&gt;1000,"Reston","Chicago")|table index TrafficStatus Normal_Traffic_status</P> <P>pls, check if anything worn in this.</P> <P>Thanks<BR /> Mala </P> Tue, 29 Sep 2020 15:37:21 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317950#M166236 mala_splunk_91 2020-09-29T15:37:21Z https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317951#M166237 <P>In addition to above query,<BR /> I want "Application" fields values to be added in search, but not "Normal_Traffic_status" field values. <BR /> As a result , I should get "Application", Normal_Traffic_status" ,"TrafficStatus " fields in a table.</P> Tue, 29 Sep 2020 15:37:24 GMT https://community.splunk.com/t5/Splunk-Search/Use-lookup-table-values-as-a-input-for-search-query-and-display/m-p/317951#M166237 mala_splunk_91 2020-09-29T15:37:24Z