https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563329#M196269 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;thank you for your solution,</P><P>I made some changes in my query, and it dosent work,</P><P>I would be happy if you can tell me what is the problem</P><P>Here is my new query:</P><P>index="example"</P><P>|eval type1=mvindex(type.split(":"),0)</P><P>|eval type2=mvindex(type.split(":"),1)</P><P>|search</P><P>[|inputlookup myfile.csv&nbsp;</P><P>| eval range=mvrange(1,3)</P><P>| mvexpand range</P><P>| eval type2=if(range==2,type,null)</P><P>| eval type1=if(range==1,type,null)</P><P>| table type1 type2]</P><P>|table type1 type2</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 15 Aug 2021 15:30:55 GMT Shimon81 2021-08-15T15:30:55Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/562748#M196085 <P class="lia-align-left">&nbsp;I want to run a base query where some fields has a value which is present in inputlookup table</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">For example,&nbsp; I have a csv file with the content:</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">type</P><P class="lia-align-left">1</P><P class="lia-align-left">2</P><P class="lia-align-left">3</P><P class="lia-align-left">.</P><P class="lia-align-left">.</P><P class="lia-align-left">and in my basesearch i have the fields : type1, type2</P><P class="lia-align-left">I tried this query but is not working:</P><P class="lia-align-left">index="example"</P><P class="lia-align-left"><SPAN>[|inputlookup myfile .csv&nbsp;|stats values(type) as types]</SPAN></P><P class="lia-align-left">|Where type1 in(types) OR type2 in(types)</P><P class="lia-align-left">|table type1 type2&nbsp;</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">Thanks</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">&nbsp;</P> Tue, 10 Aug 2021 14:48:46 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/562748#M196085 Shimon81 2021-08-10T14:48:46Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/562757#M196088 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237314">@Shimon81</a>,<BR /><BR />Your approach is right. You need to rewrite the query.</P><LI-CODE lang="markup">index="example" type1 IN([|inputlookup myfile.csv | stats values(type) as types | return $types]) OR type2 IN([|inputlookup myfile.csv | stats values(type) as types | return $types]) | table type1 type2</LI-CODE><P>&nbsp;</P><P>If this reply helps you, a like would be appreciated.</P> Tue, 10 Aug 2021 15:33:00 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/562757#M196088 manjunathmeti 2021-08-10T15:33:00Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/562768#M196094 <P>Alternatively (without the double lookup)</P><LI-CODE lang="markup">index="example" [|inputlookup myfile.csv | eval range=mvrange(1,3) | mvexpand range | eval type2=if(range==2,type,null) | eval type1=if(range==1,type,null) | table type1 type2] |table type1 type2 </LI-CODE> Tue, 10 Aug 2021 16:12:36 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/562768#M196094 ITWhisperer 2021-08-10T16:12:36Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563329#M196269 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;thank you for your solution,</P><P>I made some changes in my query, and it dosent work,</P><P>I would be happy if you can tell me what is the problem</P><P>Here is my new query:</P><P>index="example"</P><P>|eval type1=mvindex(type.split(":"),0)</P><P>|eval type2=mvindex(type.split(":"),1)</P><P>|search</P><P>[|inputlookup myfile.csv&nbsp;</P><P>| eval range=mvrange(1,3)</P><P>| mvexpand range</P><P>| eval type2=if(range==2,type,null)</P><P>| eval type1=if(range==1,type,null)</P><P>| table type1 type2]</P><P>|table type1 type2</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 15 Aug 2021 15:30:55 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563329#M196269 Shimon81 2021-08-15T15:30:55Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563330#M196270 <P>The split function takes 2 arguments, it isn't a method on the type object.</P><LI-CODE lang="markup">|eval type1=mvindex(split(type,":"),0) |eval type2=mvindex(split(type,":"),1)</LI-CODE> Sun, 15 Aug 2021 15:44:25 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563330#M196270 ITWhisperer 2021-08-15T15:44:25Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563333#M196271 <P>Yes You right, but is not my problem ,</P><P>I got result with type that not in my csv file</P><P>Here is my query:</P><P>index="example"</P><P>|eval type1=mvindex(split(type,":"),0)</P><P>|eval type2=mvindex(split(type,":"),1)</P><P>|search</P><P>[|inputlookup myfile.csv&nbsp;</P><P>| eval range=mvrange(1,3)</P><P>| mvexpand range</P><P>| eval type2=if(range==2,type,null)</P><P>| eval type1=if(range==1,type,null)</P><P>| table type1 type2]</P><P>|table type1 type2</P><P>&nbsp;</P><P>Thanks</P> Sun, 15 Aug 2021 16:01:30 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563333#M196271 Shimon81 2021-08-15T16:01:30Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563335#M196273 <P>Please explain what the issue is in more detail.</P> Sun, 15 Aug 2021 16:12:13 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563335#M196273 ITWhisperer 2021-08-15T16:12:13Z https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563337#M196275 <P>I have in my search base a field named 'type' that I need to split into type1 and type2 and to check if one of them exists in my csv file. My search at the moment is giving me a result that both types do not exist in the csv file, this is my query at the moment:&nbsp;</P><P>&nbsp;</P><P>index="example"</P><P>|eval type1=mvindex(split(type,":"),0)</P><P>|eval type2=mvindex(split(type,":"),1)</P><P>|search</P><P>[|inputlookup myfile.csv&nbsp;</P><P>| eval range=mvrange(1,3)</P><P>| mvexpand range</P><P>| eval type2=if(range==2,type,null)</P><P>| eval type1=if(range==1,type,null)</P><P>| table type1 type2]</P><P>|table type1 type2</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 15 Aug 2021 17:43:35 GMT https://community.splunk.com/t5/Splunk-Search/Subesearch-with-Inputlookup/m-p/563337#M196275 Shimon81 2021-08-15T17:43:35Z