https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569615#M198529 <P>Hello,</P><P>Now, i have some changes but still i can't list with lookup file's value;</P><P>&lt;base search&gt; |eval user_info=host."".Huawei_int |lookup fttb_user.csv ipport as user_info OUTPUT user |search user_info=10.58.35.144GigabitEthernet0/0/7 | stats count by Date,user_info,Huawei_status | sort -count |where count&gt;6</P><P>Stats without user field;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corehan_0-1633384062035.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16269iF3B38D3C8104E208/image-size/medium?v=v2&amp;px=400" role="button" title="corehan_0-1633384062035.png" alt="corehan_0-1633384062035.png" /></span></P><P>&nbsp;</P><P>Stats with user field;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corehan_1-1633384118621.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16270iEEB063200CD004D7/image-size/medium?v=v2&amp;px=400" role="button" title="corehan_1-1633384118621.png" alt="corehan_1-1633384118621.png" /></span></P><P>lookup csv file;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corehan_2-1633384255583.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16271iCE168BA9749335D0/image-size/medium?v=v2&amp;px=400" role="button" title="corehan_2-1633384255583.png" alt="corehan_2-1633384255583.png" /></span></P><P>&nbsp;</P> Mon, 04 Oct 2021 21:51:14 GMT corehan 2021-10-04T21:51:14Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569485#M198490 <P>Hello dears,</P><P>I have switches, ip address,ports and i want list with users which are connected to the ports. Users informations include lookup file which name is list.csv, so;</P><P>list.csv contains : ip,port,user</P><P>&lt;base_search&gt;&nbsp; | lookup list.csv ip as host <FONT color="#FF0000">AND port as if_name</FONT> OUTPUT user |stats count by host,if_name,user</P> Sun, 03 Oct 2021 19:54:38 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569485#M198490 corehan 2021-10-03T19:54:38Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569488#M198492 <P>What is your question?</P><P>BTW, the <FONT face="courier new,courier">lookup</FONT> command does not recognize <FONT face="courier new,courier">AND</FONT> as a keyword.</P> Mon, 04 Oct 2021 00:25:35 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569488#M198492 richgalloway 2021-10-04T00:25:35Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569495#M198496 <P>Exactly, so highleted with red. if match host and if_name with lookup file, then list user info.</P><P>Regards.</P> Mon, 04 Oct 2021 05:04:50 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569495#M198496 corehan 2021-10-04T05:04:50Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569539#M198514 <P>Again I ask: What is your question?</P><P>So you know enough to highlight the syntax error in red, but not enough to look up the syntax and fix it?</P><P>Please describe the problem you are trying to solve.</P> Mon, 04 Oct 2021 12:14:08 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569539#M198514 richgalloway 2021-10-04T12:14:08Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569544#M198516 <P>Sorry, i can't list with user info, i need lookup syntax which is check ip and port from lookup file. How can i do this with correct lookup syntax? I should check 2 multivalue field and than add to user info. I hope, understand.</P><P><SPAN>&lt;base_search&gt;&nbsp; | lookup list.csv ip as host&nbsp;</SPAN><FONT color="#FF0000">AND port as if_name</FONT><SPAN>&nbsp;OUTPUT user |stats count by host,if_name,user</SPAN></P> Mon, 04 Oct 2021 13:31:38 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569544#M198516 corehan 2021-10-04T13:31:38Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569559#M198519 <P>The syntax for the <FONT face="courier new,courier">lookup</FONT> command is in the Search Reference manual at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Lookup#Syntax" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Lookup#Syntax</A></P><P>Did you try removing the <FONT face="courier new,courier">AND</FONT> keyword as I implied in my first reply?</P><P>I can't say I've tried it before, but I believe lookups do not work with multi-value fields.&nbsp; You'll have to use <FONT face="courier new,courier">mvindex</FONT> or another multi-value function to get a single-value field for the lookup.</P> Mon, 04 Oct 2021 13:46:06 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569559#M198519 richgalloway 2021-10-04T13:46:06Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569615#M198529 <P>Hello,</P><P>Now, i have some changes but still i can't list with lookup file's value;</P><P>&lt;base search&gt; |eval user_info=host."".Huawei_int |lookup fttb_user.csv ipport as user_info OUTPUT user |search user_info=10.58.35.144GigabitEthernet0/0/7 | stats count by Date,user_info,Huawei_status | sort -count |where count&gt;6</P><P>Stats without user field;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corehan_0-1633384062035.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16269iF3B38D3C8104E208/image-size/medium?v=v2&amp;px=400" role="button" title="corehan_0-1633384062035.png" alt="corehan_0-1633384062035.png" /></span></P><P>&nbsp;</P><P>Stats with user field;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corehan_1-1633384118621.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16270iEEB063200CD004D7/image-size/medium?v=v2&amp;px=400" role="button" title="corehan_1-1633384118621.png" alt="corehan_1-1633384118621.png" /></span></P><P>lookup csv file;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="corehan_2-1633384255583.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16271iCE168BA9749335D0/image-size/medium?v=v2&amp;px=400" role="button" title="corehan_2-1633384255583.png" alt="corehan_2-1633384255583.png" /></span></P><P>&nbsp;</P> Mon, 04 Oct 2021 21:51:14 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569615#M198529 corehan 2021-10-04T21:51:14Z https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569683#M198551 <P>It's impossible to say why the data is not matching the lookup without seeing the data.&nbsp; Please share some samples.</P><P>Also, the <FONT face="courier new,courier">lookup</FONT> command is specifying the 'user_info' field, which does not exist in the lookup file.</P> Tue, 05 Oct 2021 12:19:01 GMT https://community.splunk.com/t5/Splunk-Search/search-with-lookup/m-p/569683#M198551 richgalloway 2021-10-05T12:19:01Z