https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563060#M196173 <P>You could try creating a shortened version of the source field which matches the format you have in your lookup file</P><LI-CODE lang="markup">index=int_gcg_apac_solace_166076 host="mwgcb-csrla0*U*" source="/logs/confluent/connect-distributed/apac/TW/*" "Task is being killed and will not recover until manually restarted" | rex field=_raw "(?ms)id\=(?P&lt;Connector&gt;(\w+\.){1,9}\w+\-\d)\}" | rex field=source "^(?&lt;src&gt;(/[^/]+){5})" | eval src=src."/*" | lookup region_lookup.csv src</LI-CODE> Thu, 12 Aug 2021 11:54:07 GMT ITWhisperer 2021-08-12T11:54:07Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563057#M196171 <P>Hi All,</P><P>I am using below query to search for certain logs:</P><P>index=int_gcg_apac_solace_166076 host="mwgcb-csrla0*U*" source="/logs/confluent/connect-distributed/apac/TW/*" "Task is being killed and will not recover until manually restarted" | rex field=_raw "(?ms)id\=(?P&lt;Connector&gt;(\w+\.){1,9}\w+\-\d)\}" | lookup region_lookup.csv "source"</P><P>But while using the command | lookup region_lookup.csv "source", its not getting me any result based on the lookup table for the Region.&nbsp;</P><P>I am trying to create a query using lookup table which will be as below:</P><TABLE width="470"><TBODY><TR><TD width="330">source</TD><TD width="140">Region</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/HK/*</TD><TD>HongKong</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/SG/*</TD><TD>Singapore</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/AU/*</TD><TD>Australia</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/VN/*</TD><TD>Vietnam</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/MY/*</TD><TD>Malaysia</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/ID/*</TD><TD>Indonesia</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/TH/*</TD><TD>Thailand</TD></TR><TR><TD width="330">/logs/confluent/connect-distributed/apac/TW/*</TD><TD>Taiwan</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Note: Each source have multiple folders inside it e.g. "logs/confluent/connect-distributed/apac/TW/*" will have file paths like "logs/confluent/connect-distributed/apac/TW/kafkaconnect.log", "logs/confluent/connect-distributed/apac/TW/kafkaconnect.log1", "logs/confluent/connect-distributed/apac/TW/kafkaconnect.log2" and so on..&nbsp; And the searched indicator&nbsp;"Task is being killed and will not recover until manually restarted" may go into any of the folders.</P><P>Is there any way I can use, so that I can use the lookup table as desired..?<BR />Your kind advise will be highly appreciated..</P><P>Thank You..!!</P> Thu, 12 Aug 2021 11:38:32 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563057#M196171 Mrig342 2021-08-12T11:38:32Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563060#M196173 <P>You could try creating a shortened version of the source field which matches the format you have in your lookup file</P><LI-CODE lang="markup">index=int_gcg_apac_solace_166076 host="mwgcb-csrla0*U*" source="/logs/confluent/connect-distributed/apac/TW/*" "Task is being killed and will not recover until manually restarted" | rex field=_raw "(?ms)id\=(?P&lt;Connector&gt;(\w+\.){1,9}\w+\-\d)\}" | rex field=source "^(?&lt;src&gt;(/[^/]+){5})" | eval src=src."/*" | lookup region_lookup.csv src</LI-CODE> Thu, 12 Aug 2021 11:54:07 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563060#M196173 ITWhisperer 2021-08-12T11:54:07Z https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563093#M196184 <P>Thank you very much ITWhisperer..!!&nbsp; You Rock..!!</P><P>The query worked perfect and I am able to get my desired output.</P><P>Thanks again.</P> Thu, 12 Aug 2021 15:48:10 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-with-lookup-query/m-p/563093#M196184 Mrig342 2021-08-12T15:48:10Z