https://community.splunk.com/t5/Splunk-Search/How-to-pull-additional-fields-from-a-lookup-that-is-using/m-p/562492#M195626 <P>One can use wildcards in a lookup if one defines the lookup that way.&nbsp; Go to Settings-&gt;Lookups and click on "Lookup definitions".&nbsp; Add a new definition that references mylookup.csv.&nbsp; Click the Advanced box and type "WILDCARD(Message)" in the "Match type" box.</P><P>Invoke the wildcard lookup with the <FONT face="courier new,courier">lookup</FONT> command (see the Search Reference manual for the difference between <FONT face="courier new,courier">lookup</FONT> and <FONT face="courier new,courier">inputlookup</FONT>).</P><LI-CODE lang="markup">index=os source=/var/log/messages host=linuxserver1p | rex field=_raw "(?&lt;Message&gt;.*)" | lookup mylookup Message OUTPUT Severity | table Message Severity</LI-CODE> Sat, 07 Aug 2021 13:29:05 GMT richgalloway 2021-08-07T13:29:05Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-additional-fields-from-a-lookup-that-is-using/m-p/562467#M195620 <P>I'm trying to build a search that will return an event and the severity of that event. I have the events with wildcards for parts that might change and severity in a lookup.<BR /><BR />Here's an example from my lookup<BR />Message,Severity<BR />*kernel: nfs: server * OK,normal<BR />*kernel: nfs: server * not responding* still trying,critical<BR /><BR />If I run this search I get back the results I'd like, but have no way of referencing this back to the lookup to grab severity because the Message doesn't match whats in the lookup due to the wildcards<BR /><BR />index=os source=/var/log/messages host=linuxserver1p | rex field=_raw "(?&lt;Message&gt;.*)"<BR />| search [inputlookup mylookup.csv | table Message]</P><DIV class="shared-eventsviewer-shared-rawfield"><DIV class="raw-event normal wrap "><SPAN class="t"><SPAN class="t h">Jul</SPAN> 28 02:15:40 linuxserverp kernel: nfs: server fixdist OK<BR />Jul</SPAN> <SPAN class="t">28</SPAN> <SPAN class="t">01:30:37</SPAN> <SPAN class="t">linuxserver1p</SPAN> <SPAN class="t">kernel:</SPAN> <SPAN class="t">nfs:</SPAN> <SPAN class="t">server</SPAN> <SPAN class="t">fixdist</SPAN> <SPAN class="t h">not</SPAN> <SPAN class="t">responding</SPAN>, <SPAN class="t">still</SPAN> <SPAN class="t"><SPAN class="t">trying<BR /><BR />How can I take these results back to my lookup and be able to pull severity out?<BR /><BR />Here is another search I've tried where I have both the results I want and the values from the lookup and I just need to join them together somehow, but as far as I can tell the join won't work with wildcards<BR /><BR /></SPAN></SPAN><P>|inputlookup mylookup.csv |rename Message as msg</P><P>| append[search index=os source=/var/log/messages host=linuxserver1p | rex field=_raw "(?&lt;Message&gt;.*)" | search [inputlookup mylookup.csv | table Message]]</P><P>|table Message msg Severity</P><SPAN class="t"><BR />&nbsp;</SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV></DIV> Tue, 21 Sep 2021 17:55:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-additional-fields-from-a-lookup-that-is-using/m-p/562467#M195620 joeybagofdonuts 2021-09-21T17:55:09Z https://community.splunk.com/t5/Splunk-Search/How-to-pull-additional-fields-from-a-lookup-that-is-using/m-p/562492#M195626 <P>One can use wildcards in a lookup if one defines the lookup that way.&nbsp; Go to Settings-&gt;Lookups and click on "Lookup definitions".&nbsp; Add a new definition that references mylookup.csv.&nbsp; Click the Advanced box and type "WILDCARD(Message)" in the "Match type" box.</P><P>Invoke the wildcard lookup with the <FONT face="courier new,courier">lookup</FONT> command (see the Search Reference manual for the difference between <FONT face="courier new,courier">lookup</FONT> and <FONT face="courier new,courier">inputlookup</FONT>).</P><LI-CODE lang="markup">index=os source=/var/log/messages host=linuxserver1p | rex field=_raw "(?&lt;Message&gt;.*)" | lookup mylookup Message OUTPUT Severity | table Message Severity</LI-CODE> Sat, 07 Aug 2021 13:29:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pull-additional-fields-from-a-lookup-that-is-using/m-p/562492#M195626 richgalloway 2021-08-07T13:29:05Z