topic Re: How do I compare lookup field to search and print another field in lookup file? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638693#M221307 <P>You would need to use "lookup" command to enrich your data from lookup table fields, like this</P><LI-CODE lang="markup">index=windows sourcetype:eventlogs | lookup users.csv hostname as host OUTPUT username as users</LI-CODE> Tue, 04 Apr 2023 18:39:51 GMT somesoni2 2023-04-04T18:39:51Z How do I compare lookup field to search and print another field in lookup file? https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638681#M221304 <P>Currently in my logs I am getting the hostname of the users but not their usernames. I created a lookup table that contains hostnames and usernames. I am trying to match the hostname from search to the hostname in the lookup file and then print their correlated username in a table format in the search visualization.&nbsp;<BR /><BR />Lookup file:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%"><STRONG>hostname</STRONG></TD><TD width="50%"><STRONG>username</STRONG></TD></TR><TR><TD width="50%">host1</TD><TD width="50%">user1</TD></TR><TR><TD width="50%">host2</TD><TD width="50%">user2</TD></TR><TR><TD width="50%">host3</TD><TD width="50%">user3</TD></TR><TR><TD width="50%">host4</TD><TD width="50%">user4</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>search:<BR />index=windows sourcetype:eventlogs&nbsp;<BR />[|inputlookup users.csv | fields hostname username | rename hostname as users]<BR />~~~print username correlated to "users" in the above string.~~~</P> Tue, 04 Apr 2023 16:33:43 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638681#M221304 cyrus_thesplunk 2023-04-04T16:33:43Z Re: How do I compare lookup field to search and print another field in lookup file? https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638693#M221307 <P>You would need to use "lookup" command to enrich your data from lookup table fields, like this</P><LI-CODE lang="markup">index=windows sourcetype:eventlogs | lookup users.csv hostname as host OUTPUT username as users</LI-CODE> Tue, 04 Apr 2023 18:39:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638693#M221307 somesoni2 2023-04-04T18:39:51Z Re: How do I compare lookup field to search and print another field in lookup file? https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638818#M221345 <P>Got it. I understand this part but where are you comparing the hostname in the search to hostname in the lookup file and then printing the username correlated to that hostname in the table.<BR /><BR />This is what the search visualization results should look like.<BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="25%" height="25px">Time</TD><TD width="25%" height="25px">Hostname</TD><TD width="25%" height="25px">Username</TD><TD width="25%" height="25px">Src IP</TD></TR><TR><TD width="25%" height="25px">5:01 am</TD><TD width="25%" height="25px">host1</TD><TD width="25%" height="25px">user1</TD><TD width="25%" height="25px">192.xxx.xxx.xxx</TD></TR><TR><TD width="25%" height="25px">5:07 am</TD><TD width="25%" height="25px">host2</TD><TD width="25%" height="25px">user2</TD><TD width="25%" height="25px">192.xxx.xxx.xxx</TD></TR><TR><TD width="25%" height="25px">5:09 am</TD><TD width="25%" height="25px">host3</TD><TD width="25%" height="25px">user3</TD><TD width="25%" height="25px">192.xxx.xxx.xxx</TD></TR></TBODY></TABLE><P><BR />Username information is the only thing thats coming from the lookup file. Rest of it comes from the search.&nbsp;</P> Wed, 05 Apr 2023 11:03:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638818#M221345 cyrus_thesplunk 2023-04-05T11:03:09Z Re: How do I compare lookup field to search and print another field in lookup file? https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638925#M221392 <P>index="windows" AND sourcetype="eventlogs"<BR />| lookup users.csv hostname AS host OUTPUT username AS users<BR />| table _time Time Hostname Username Src IP</P> Thu, 06 Apr 2023 00:24:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/638925#M221392 woodcock 2023-04-06T00:24:54Z Re: How do I compare lookup field to search and print another field in lookup file? https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/639022#M221421 <P>Thank you! This worked perfectly</P> Thu, 06 Apr 2023 13:17:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-compare-lookup-field-to-search-and-print-another-field/m-p/639022#M221421 cyrus_thesplunk 2023-04-06T13:17:33Z