https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597551#M208047 <P>In the lookup table the headers are:</P><P>EventCode,action,Error_Code,Description</P><P>1111,failure,0x00006d,bad username</P><P>For query1 it is as below:</P><P>Message1,Message2, Status</P><P>The "status" field from query1 is produced from a rex command.</P> Thu, 12 May 2022 09:14:17 GMT johanhakim 2022-05-12T09:14:17Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597542#M208040 <P>Hi,</P><P>I have 2 separate queries as below:</P><P><STRONG>Query1:&nbsp;</STRONG>(normal splunk search e.g. index=* host=abcde | table Message1,Message2,Status ....)</P><P>Message1, Message2, Status</P><P>aaaa,bbbb,0x000006d</P><P><STRONG>Query2:&nbsp;</STRONG>(using inputlookup blabla.csv | table Status,Action)</P><P>Status,Action</P><P>0x00006d,Failure</P><P>How do i map both queries above and produce output as below:</P><P><STRONG>Output:</STRONG></P><P>Message1,Message2,Status,Action</P><P>aaaa,bbbb,0x00006d,Failure</P><P>Basically the Status from Query1 needs to be mapped with Query2 and output the corresponding action.</P><P>Appreciate the help!</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 12 May 2022 08:20:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597542#M208040 johanhakim 2022-05-12T08:20:51Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597547#M208043 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241740">@johanhakim</a>,<BR /><BR />After Query 1 you could use:<BR /><BR /></P><LI-CODE lang="markup">| lookup blabla.csv Status OUTPUT Action</LI-CODE><P><BR />One of multiple approaches.<BR /><BR />Hope it helps.<BR />Ralph</P> Thu, 12 May 2022 08:43:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597547#M208043 rnowitzki 2022-05-12T08:43:38Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597548#M208044 <P class="lia-align-left">Only Status column has value. No value under the action column. Seems like it is not mapping. Any other way?</P> Thu, 12 May 2022 09:03:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597548#M208044 johanhakim 2022-05-12T09:03:20Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597549#M208045 <P>What are the actual column names in the lookup table? Is it "Status" and "Action" (Starting with capital letter)?<BR />Also the fields from Query 1?</P> Thu, 12 May 2022 09:09:16 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597549#M208045 rnowitzki 2022-05-12T09:09:16Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597551#M208047 <P>In the lookup table the headers are:</P><P>EventCode,action,Error_Code,Description</P><P>1111,failure,0x00006d,bad username</P><P>For query1 it is as below:</P><P>Message1,Message2, Status</P><P>The "status" field from query1 is produced from a rex command.</P> Thu, 12 May 2022 09:14:17 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597551#M208047 johanhakim 2022-05-12T09:14:17Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597553#M208049 <P>Not to worry, i found the solution!</P><P>The Error_Code (i have renamed this to Status) in Query 2 was in uppercase whereas the Status in Query 1 was in lowercase. After matching them to either upper/lower case, i&nbsp; managed to get the desired output based on your lookup recommendation.</P><P>Thanks anyways! <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P> Thu, 12 May 2022 09:22:00 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597553#M208049 johanhakim 2022-05-12T09:22:00Z https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597554#M208050 <P>So, there is no "Status" field in the Lookup, that's why it didn't map.<BR /><BR />I assume the field "<SPAN>Error_Code" is what you want to map with the "Status" from Query 1.<BR /></SPAN></P><LI-CODE lang="markup">| lookup blabla.csv Status as "Error_Code" OUTPUT Action</LI-CODE><P><BR /><BR /></P> Thu, 12 May 2022 09:22:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-map-value-from-inputlookup-to-another-search/m-p/597554#M208050 rnowitzki 2022-05-12T09:22:21Z