https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581422#M202552 <P>Rather than using join, you could try using append and stats, first to "join" the two index searches, then the "lookup" table</P><LI-CODE lang="markup">``` this makeresults represents the index a search ``` | makeresults | eval _raw="user action tom deleted aaron added" | multikv forceheader=1 ``` rename user field so it matches with field in index b ``` | rename user as id | append ``` this makeresults represents the index b search ``` [| makeresults | eval _raw="name,id Tom Brady,tom Aaron Rodgers,aaron" | multikv forceheader=1 ] ``` remove superfluous fields ``` | fields - _raw _time linecount ``` "join" by id ``` | stats values(*) as * by id | append ``` this makeresults represents the inputlookup ``` [| makeresults | eval _raw="name Tom Brady Foo Bar Aaron Rodgers" | multikv forceheader=1 ] ``` remove superfluous fields ``` | fields - _raw _time linecount ``` "join" by name ``` | stats values(*) as * by name ``` fill the empty fields ``` | fillnull value="N/A" action id</LI-CODE><P>&nbsp;</P> Tue, 18 Jan 2022 06:18:32 GMT ITWhisperer 2022-01-18T06:18:32Z https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581419#M202551 <P><BR />Please help!<BR />I have a lookup table and some data in two different indexes. Please help with a search that will produce an output like the following?&nbsp; I need to show "Foo Bar", which is present in the lookup, but has no values associated with the name in either index.<BR /><FONT face="courier new,courier" size="3">name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; id&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; action</FONT><BR /><FONT face="courier new,courier" size="3">Tom Brady&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tom&nbsp;&nbsp;&nbsp;&nbsp; deleted</FONT><BR /><FONT face="courier new,courier" size="3">Foo Bar&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N/A&nbsp;&nbsp;&nbsp;&nbsp; N/A</FONT><BR /><FONT face="courier new,courier" size="3">Aaron Rodgers&nbsp; aaron&nbsp;&nbsp; added</FONT></P><P><BR />inputlookup=player.csv, column heading is name<BR />Tom Brady<BR />Foo Bar<BR />Aaron Rodgers</P><P>index=a<BR />name="Tom Brady" id=tom<BR />name="Aaron Rodgers" id=aaron</P><P>index=b<BR />user=tom action=deleted<BR />user=aaron action=added</P><P>This is where I’m stuck. How can I also show "Foo Bar" as N/A ?</P><LI-CODE lang="markup">index=b | join type=inner user [ | search index=a [| inputlookup player.csv | fields name ] | rename id AS user ] | table name, user, action</LI-CODE><P>&nbsp;</P> Tue, 18 Jan 2022 05:32:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581419#M202551 hank72 2022-01-18T05:32:07Z https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581422#M202552 <P>Rather than using join, you could try using append and stats, first to "join" the two index searches, then the "lookup" table</P><LI-CODE lang="markup">``` this makeresults represents the index a search ``` | makeresults | eval _raw="user action tom deleted aaron added" | multikv forceheader=1 ``` rename user field so it matches with field in index b ``` | rename user as id | append ``` this makeresults represents the index b search ``` [| makeresults | eval _raw="name,id Tom Brady,tom Aaron Rodgers,aaron" | multikv forceheader=1 ] ``` remove superfluous fields ``` | fields - _raw _time linecount ``` "join" by id ``` | stats values(*) as * by id | append ``` this makeresults represents the inputlookup ``` [| makeresults | eval _raw="name Tom Brady Foo Bar Aaron Rodgers" | multikv forceheader=1 ] ``` remove superfluous fields ``` | fields - _raw _time linecount ``` "join" by name ``` | stats values(*) as * by name ``` fill the empty fields ``` | fillnull value="N/A" action id</LI-CODE><P>&nbsp;</P> Tue, 18 Jan 2022 06:18:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581422#M202552 ITWhisperer 2022-01-18T06:18:32Z https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581597#M202612 <P>Thank you very much.&nbsp; Your suggestion and example was of great help to me.</P> Wed, 19 Jan 2022 08:29:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-lookup-value-if-not-present-in-subsearch/m-p/581597#M202612 hank72 2022-01-19T08:29:14Z