https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576685#M200977 <P>Thanks again, adding the error codes on multiple lines works</P> Tue, 30 Nov 2021 06:07:15 GMT giorgioanastasi 2021-11-30T06:07:15Z https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576538#M200924 <P>Hi all, I have this need, compare a field with a series of error codes. I would not like to write in the search, any error codes, but I would like to use a lookup table. I then entered the error codes in a column (Name = Errors) of the table, but when i&nbsp; perform the search, they are not compared correctly.</P><P>In the column, for example, is present: login.error.1004</P><P>In the search: tag = Log | lookup ServiziApp.csv ServiceName AS Service | search Functionality = "Access" errorCode! = Errors</P><P>But the lines despite having a field = login.error.1004, are displayed. Checking the extracted fields, the errorCode field contains login.error.1004 and the Errors field also contains login.error.1004.</P><P>Thanks in advance</P> Sun, 28 Nov 2021 20:45:00 GMT https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576538#M200924 giorgioanastasi 2021-11-28T20:45:00Z https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576539#M200925 <P>Firstly, the search command does not compare field against field, so the&nbsp;</P><LI-CODE lang="markup">errorCode! = Errors</LI-CODE><P>is actually looking for the text Errors in the errorCode field.</P><P>replace the search with</P><LI-CODE lang="markup">| where Functionality="Access" AND !match(errorCode, Errors)</LI-CODE><P>however,&nbsp; do you have the same ServiceName more than once in the lookup file. If so, then you will have Errors as a multi value field, and you would have to use something like&nbsp;</P><LI-CODE lang="markup">| where !in(errorCode, Errors)</LI-CODE><P>for that case.</P><P>&nbsp;</P> Sun, 28 Nov 2021 21:26:10 GMT https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576539#M200925 bowesmana 2021-11-28T21:26:10Z https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576576#M200939 <P>Hi Bowesmana and thanks for the response.</P><P>match work correctly with one error code,&nbsp;if i add other error codes in the lookup table, !IN(errorCode, Errors) does not work, i.e. the search does not filter these cases.</P><P>This is the contents of the lookup column:</P><P>login.error.E99999 login.error.10002</P> Mon, 29 Nov 2021 10:12:46 GMT https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576576#M200939 giorgioanastasi 2021-11-29T10:12:46Z https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576580#M200940 <P>OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want&nbsp;</P><P>In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.</P><P>&nbsp;</P> Mon, 29 Nov 2021 10:17:24 GMT https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576580#M200940 bowesmana 2021-11-29T10:17:24Z https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576685#M200977 <P>Thanks again, adding the error codes on multiple lines works</P> Tue, 30 Nov 2021 06:07:15 GMT https://community.splunk.com/t5/Splunk-Search/Compare-field-with-column-of-lookup-table/m-p/576685#M200977 giorgioanastasi 2021-11-30T06:07:15Z