https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566102#M197267 <P>Are you looking to have both values available at the same time? If so, you might consider changing your lookup to&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">testvalue1</TD><TD width="50%">testvalue2</TD></TR><TR><TD width="50%">value1</TD><TD width="50%">value2</TD></TR></TBODY></TABLE><P>then use inputlookup to add them to your search</P> Tue, 07 Sep 2021 09:36:27 GMT ITWhisperer 2021-09-07T09:36:27Z https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566082#M197255 <P>Hi,</P><P>In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary.</P><P>the format of the csv file (test.csv) is the following (this format could be changed based on the answers to this post)</P><LI-CODE lang="markup">Threshold Value name1 value1 name2 value2</LI-CODE><P>the only way to do what I want is the following query</P><LI-CODE lang="markup">| eval tempField="name1" | lookup test.csv Threshold as tempField OUTPUT Value as test1value</LI-CODE><P>&nbsp;</P><P>any better or more efficient way of doing this?</P><P>I was imagining something like the line below but it didnt manage to make it work.</P><LI-CODE lang="markup">| lookup test.csv Threshold as "name1" OUTPUT Value as test1value</LI-CODE><P>thanks!</P><P>&nbsp;</P> Tue, 07 Sep 2021 07:56:06 GMT https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566082#M197255 corti77 2021-09-07T07:56:06Z https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566102#M197267 <P>Are you looking to have both values available at the same time? If so, you might consider changing your lookup to&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">testvalue1</TD><TD width="50%">testvalue2</TD></TR><TR><TD width="50%">value1</TD><TD width="50%">value2</TD></TR></TBODY></TABLE><P>then use inputlookup to add them to your search</P> Tue, 07 Sep 2021 09:36:27 GMT https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566102#M197267 ITWhisperer 2021-09-07T09:36:27Z https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566134#M197286 <P>I created the CSV the way you proposed as I need to have both fields at the same time and I tried the following</P><P>index=_internal<BR />| head 5<BR />| inputlookup append=t test.csv</P><P>but it only creates new columns in a new event</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corti77_0-1631019603698.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15887i12122857A1B6C1F6/image-size/medium?v=v2&amp;px=400" role="button" title="corti77_0-1631019603698.png" alt="corti77_0-1631019603698.png" /></span></P><P>&nbsp;</P> Tue, 07 Sep 2021 13:00:18 GMT https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566134#M197286 corti77 2021-09-07T13:00:18Z https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566141#M197291 <LI-CODE lang="markup">index=_internal | head 5 | inputlookup append=t test.csv | eventstats values(CriticalDefault) as CriticalDefault values(WarningDefault) as WarningDefault | where isnotnull(_raw)</LI-CODE> Tue, 07 Sep 2021 13:43:33 GMT https://community.splunk.com/t5/Splunk-Search/Create-fields-from-the-lookup-content/m-p/566141#M197291 ITWhisperer 2021-09-07T13:43:33Z