https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/598723#M208481 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222210">@aasabatini</a>&nbsp;</P><P>I have the below SPL: -</P><PRE>| inputlookup table1.csv where index="xxx" | fields index, host <BR />| search NOT [search index="xxx" | dedup host | table index, host]</PRE><P><SPAN>I have table2.csv with following fields: -</SPAN><BR /><SPAN>index, host, lastTime</SPAN></P><P>I need to search the results from above SPL based on host and index in table2.csv and get the corresponding value of the column: lastTime. Thus, as the final resultset, I need: - index, host,&nbsp; lastTime.&nbsp;</P><P>Please help with your suggestions.&nbsp;</P><P>Thank you</P> Fri, 20 May 2022 19:43:45 GMT Taruchit 2022-05-20T19:43:45Z https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/550602#M156250 <P><SPAN>Hi everyone,&nbsp; I'm trying to get the following search work, but for some reason I'm doing something wrong:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">inputlookup events_lookup | eval key = _key |search key in [| inputlookup notable_events_lookup search name="tobedeleted" | fields - _time | fields event_id] |table key</LI-CODE><P>&nbsp;</P><P><SPAN>I'm basically trying to import event_id from a lookup ( notable_events_lookup) which is matching to another lookup (evets_lookup) in order to remove the matching event in the lookup (events_lookup)</SPAN></P><P>I hope it makes sense what I'm trying to explain. Thanks everyone</P><P>&nbsp;</P> Thu, 06 May 2021 06:52:08 GMT https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/550602#M156250 g_paternicola 2021-05-06T06:52:08Z https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/550604#M156252 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/227231">@g_paternicola</a>&nbsp;</P><P>&nbsp;</P><P>try this</P><LI-CODE lang="markup">inputlookup events_lookup | eval key = _key | search [| inputlookup notable_events_lookup search name="tobedeleted" | fields - _time | rename event_id as key | fields key] |table key</LI-CODE> Thu, 06 May 2021 07:06:50 GMT https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/550604#M156252 aasabatini 2021-05-06T07:06:50Z https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/550606#M156253 <P>Thanks a lot! it works <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 06 May 2021 07:14:23 GMT https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/550606#M156253 g_paternicola 2021-05-06T07:14:23Z https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/598723#M208481 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222210">@aasabatini</a>&nbsp;</P><P>I have the below SPL: -</P><PRE>| inputlookup table1.csv where index="xxx" | fields index, host <BR />| search NOT [search index="xxx" | dedup host | table index, host]</PRE><P><SPAN>I have table2.csv with following fields: -</SPAN><BR /><SPAN>index, host, lastTime</SPAN></P><P>I need to search the results from above SPL based on host and index in table2.csv and get the corresponding value of the column: lastTime. Thus, as the final resultset, I need: - index, host,&nbsp; lastTime.&nbsp;</P><P>Please help with your suggestions.&nbsp;</P><P>Thank you</P> Fri, 20 May 2022 19:43:45 GMT https://community.splunk.com/t5/Splunk-Search/Nested-lookup-search/m-p/598723#M208481 Taruchit 2022-05-20T19:43:45Z