https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586133#M204175 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241491">@SharmaS2</a>&nbsp;<BR /><BR />Can you try this&nbsp;<BR /><BR />index=xyz<BR />| lookup&nbsp;<SPAN>abc.csv&nbsp;Source_IP as&nbsp;src&nbsp;&nbsp;<BR />| table&nbsp;src,dst,city,counrty<BR /><BR /><STRONG>OR&nbsp;</STRONG><BR /><BR />index=xyz<BR />| join type=left src<BR />[| lookup&nbsp;abc.csv&nbsp;Source_IP as&nbsp;src<BR />| fields src]<BR /><BR />| table&nbsp;src,dst,city,counrty<BR /><BR /></SPAN></P> Wed, 23 Feb 2022 04:42:27 GMT SanjayReddy 2022-02-23T04:42:27Z https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586076#M204162 <P>Hi Team,</P> <P>i have one abc.csv file with&nbsp; only one colunm as Source_IP where values are in10.10.10.0/24 format .</P> <P>next i have&nbsp; index=xyz which has multiple column as dst,city,counrty , src is one of the&nbsp; column .</P> <P>here i need all data from index=xyz where Source_IP from abc.csv matches with src column of index=xyz.</P> <P>i have uploaded the file successfully but unable to find the relevant query to fetch data ..</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 22 Feb 2022 17:17:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586076#M204162 SharmaS2 2022-02-22T17:17:41Z https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586096#M204167 <P>Try something like this:</P><LI-CODE lang="markup">index=xyz [|inputlookup abc.csv |rename "Source_IP" as "src"|return 999 "src"] </LI-CODE><P>After the search, add a pipe (|) and the rest of your search criteria.&nbsp;</P> Tue, 22 Feb 2022 18:49:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586096#M204167 Stefanie 2022-02-22T18:49:15Z https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586133#M204175 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241491">@SharmaS2</a>&nbsp;<BR /><BR />Can you try this&nbsp;<BR /><BR />index=xyz<BR />| lookup&nbsp;<SPAN>abc.csv&nbsp;Source_IP as&nbsp;src&nbsp;&nbsp;<BR />| table&nbsp;src,dst,city,counrty<BR /><BR /><STRONG>OR&nbsp;</STRONG><BR /><BR />index=xyz<BR />| join type=left src<BR />[| lookup&nbsp;abc.csv&nbsp;Source_IP as&nbsp;src<BR />| fields src]<BR /><BR />| table&nbsp;src,dst,city,counrty<BR /><BR /></SPAN></P> Wed, 23 Feb 2022 04:42:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586133#M204175 SanjayReddy 2022-02-23T04:42:27Z https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586187#M204195 <P>thanks ..its working properly ..</P><P>&nbsp;</P><P>can you please explain what is&nbsp;</P><PRE>return 999</PRE> Wed, 23 Feb 2022 10:54:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586187#M204195 SharmaS2 2022-02-23T10:54:34Z https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586231#M204213 <P>Sure!</P><P>The return command returns values from the subsearch (The stuff in your brackets) so that you can use it to compare with your main search. But the return command automatically limits the number of items returned, you have to tell it how many to return.&nbsp;<BR />Because I don't know how big your csv is, 999 was a safe bet.&nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 23 Feb 2022 13:29:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-lookup-in-Splunk/m-p/586231#M204213 Stefanie 2022-02-23T13:29:39Z