https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613519#M213231 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249573">@desperate</a>,</P><P>You can try below;</P><LI-CODE lang="markup">index=userdatabase "abc12345" | lookup Lookup.csv code as opsID OUTPUT notes | eval isPresent=if(isnotnull(notes), "YES", "NO") | table username, isPresent</LI-CODE> Sun, 18 Sep 2022 10:32:46 GMT scelikok 2022-09-18T10:32:46Z https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613518#M213230 <P>Hi all,</P> <P>I am quite new to Splunk and now trying to create a dashboard panel using a query that does the following:</P> <UL> <LI>pulls the required fields from an index based on textfield input</LI> <LI>checks on one specific field "opsID" from the index against a field "code" in a csv i uploaded</LI> <LI>if it is present in the csv, I just want to return a simple output that I could use to display in a table form</LI> </UL> <P>The csv looks something like this:</P> <PRE>code, notes<BR />123, User<BR />456, Admin<BR />789, User</PRE> <P>&nbsp;</P> <P>Example of my query:</P> <PRE>index=userdatabase "abc12345"<BR />| eval abc=[|inputlookup Lookup.csv | where code=opsID| fields notes]<BR />| eval isPresent=if(abc!="", YES, NO)<BR />| table username, isPresent</PRE> <P>&nbsp;</P> <P>However I am getting errors like&nbsp;<SPAN>Error in 'eval' command: The expression is malformed. An unexpected character is reached at ')'. I tried for a few days can't seem to figure it out my mistake, hence hoping for some help over my basic question.. I got a feeling my logic could be wrong to begin with</SPAN></P> Sun, 18 Sep 2022 23:46:54 GMT https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613518#M213230 desperate 2022-09-18T23:46:54Z https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613519#M213231 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249573">@desperate</a>,</P><P>You can try below;</P><LI-CODE lang="markup">index=userdatabase "abc12345" | lookup Lookup.csv code as opsID OUTPUT notes | eval isPresent=if(isnotnull(notes), "YES", "NO") | table username, isPresent</LI-CODE> Sun, 18 Sep 2022 10:32:46 GMT https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613519#M213231 scelikok 2022-09-18T10:32:46Z https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613520#M213232 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249573">@desperate</a>,</P><P>you should read the documentation about lookup command at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Lookup" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Lookup</A>&nbsp;and it could be a good idea to follow the Splunk Search Tutorial to better learn abou SPL <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial</A> .</P><P>Anyway, to solve your problem, please try this:</P><LI-CODE lang="markup">index=userdatabase "abc12345" | lookup Lookup.csv code AS opsID OUTPUT notes | where notes=* | table code notes</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Sun, 18 Sep 2022 10:36:11 GMT https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613520#M213232 gcusello 2022-09-18T10:36:11Z https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613523#M213233 <P>Thank you Sir&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;.</P><P>Appreciate the help, both of you are correct. I did not think toward this direction, i was over complicating my own query.</P><P>It works now. Once again appreciate the quick response</P> Sun, 18 Sep 2022 11:14:45 GMT https://community.splunk.com/t5/Splunk-Search/Could-someone-help-me-with-inputlookup-within-a-search/m-p/613523#M213233 desperate 2022-09-18T11:14:45Z