https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614065#M213397 <P>two lookup statement on same lookup file,&nbsp;</P><P>2nd lookup statement overriding first lookup statement output and making it null.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Abhineet_0-1663837350898.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21602i2CA550B56044DAA8/image-size/medium?v=v2&amp;px=400" role="button" title="Abhineet_0-1663837350898.png" alt="Abhineet_0-1663837350898.png" /></span></P><P>&nbsp;</P> Thu, 22 Sep 2022 09:02:48 GMT Abhineet 2022-09-22T09:02:48Z https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614060#M213393 <P>Want to create search to get info from lookup file if event field contains data from two field in lookup file.</P> <P>log event have field <STRONG>"machineUserName"&nbsp;</STRONG>having value <STRONG>"employeeNumber"</STRONG> or <STRONG>"Email-ID"</STRONG> want to do lookup from <STRONG>"workdayData.csv"</STRONG> having two separate field for&nbsp;<STRONG>"employeeNumber" </STRONG>and&nbsp;<STRONG>"Email-ID"</STRONG>&nbsp;want to create lookup query&nbsp; which will check&nbsp;<STRONG>"machineUserName"</STRONG> field from log event having either&nbsp;<STRONG>"employeeNumber"&nbsp;</STRONG>or&nbsp;<STRONG>"Email-ID" </STRONG>as value will check respective field in lookup and provide other information in lookup table.</P> <P><STRONG>Log Event Field</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Abhineet_0-1663835259712.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21601iA330E80FBD2139A0/image-size/medium?v=v2&amp;px=400" role="button" title="Abhineet_0-1663835259712.png" alt="Abhineet_0-1663835259712.png" /></span></P> <P><U><STRONG>Lookup-table:</STRONG></U>&nbsp;<STRONG>WorkdayData.csv</STRONG></P> <P><STRONG>Sample Data</STRONG></P> <P><U><STRONG>HEADER</STRONG></U>:empId,empNum,name,email,country,loc,locDesc,OCGRP,OCSGRP,deptName,jobTitle,empStatus,bu,l1MgrEmail<BR /><U><STRONG>Sample-Data</STRONG></U>: X0134567,AMAT-0134567,"Jose numo --CNTR","Jose_numo@contractor.amat.com","United States of America",CASCL,"Santa Clara,CA",AGS,OCE,"NACDC NAmer Entity","Logistics Operations - Supplie",Active,"AGS GPS&amp;T, Operations &amp; Central Engineering","Carmy_Hyden@amat.com"</P> <P>&nbsp;</P> Thu, 22 Sep 2022 15:09:35 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614060#M213393 Abhineet 2022-09-22T15:09:35Z https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614062#M213395 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236195">@Abhineet</a>,</P><P>the solution is using two times the lookup command:</P><LI-CODE lang="markup">&lt;your_search&gt; | lookup workdayData.csv employeeNumber AS machineUserName OUTPUTS &lt;lookup_columns&gt; | lookup workdayData.csv Email-ID AS machineUserName OUTPUTS &lt;lookup_columns&gt; | ...</LI-CODE><P>Only one addition information: don't use "-" in field names, it's better "_" becausae it could be interpretated as the subtraction operator.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 22 Sep 2022 08:47:13 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614062#M213395 gcusello 2022-09-22T08:47:13Z https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614065#M213397 <P>two lookup statement on same lookup file,&nbsp;</P><P>2nd lookup statement overriding first lookup statement output and making it null.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Abhineet_0-1663837350898.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21602i2CA550B56044DAA8/image-size/medium?v=v2&amp;px=400" role="button" title="Abhineet_0-1663837350898.png" alt="Abhineet_0-1663837350898.png" /></span></P><P>&nbsp;</P> Thu, 22 Sep 2022 09:02:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614065#M213397 Abhineet 2022-09-22T09:02:48Z https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614076#M213403 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236195">@Abhineet</a>,</P><P>please use OUTPUTNEW instead OUTPUT</P><LI-CODE lang="markup">&lt;your_search&gt; | lookup workdayData.csv employeeNumber AS machineUserName OUTPUTNEW &lt;lookup_columns&gt; | lookup workdayData.csv Email-ID AS machineUserName OUTPUTNEW &lt;lookup_columns&gt; | ...</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Thu, 22 Sep 2022 10:01:05 GMT https://community.splunk.com/t5/Splunk-Search/Search-to-get-info-from-lookup-file-if-event-field-contains-data/m-p/614076#M213403 gcusello 2022-09-22T10:01:05Z