https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639221#M221488 <P>Thank you. I figured out my problem.<BR /><BR />On the query I was trying to use username=mike and trying to reference the name mike in my emaillookup.csv lookup table. However, the name in the lookup table was in the form of <A href="mailto:mike@my-site.com" target="_blank">mike@my-site.com</A>&nbsp;. I had to regex the "@my-site.com" from the name mike in order to reference mike. &nbsp;Once I was referencing mike on both the query and the lookup table, I was able to pull the fields I needed.&nbsp;<BR /><BR />Thanks for both of your recommendations</P> Fri, 07 Apr 2023 16:09:49 GMT dionrivera 2023-04-07T16:09:49Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/638701#M221309 <P>Hello. I've been watching a few lookup videos but they mostly concentrate on extracting data from a lookup file. None of them are addressing a case where you have to correlate a field from a query to a field from a lookup file. Here is my example. I have a query (index=web username=mike) I would like to pull Mike's email from a emaillookup.csv file so that my final table result looks like below.&nbsp;</P> <P>&nbsp;</P> <P>username&nbsp; &nbsp; email</P> <P>mike&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<A href="mailto:mike@yahoo.com" target="_blank" rel="noopener">mike@yahoo.com</A></P> <P>&nbsp;</P> <P>So far, I have tried index=web username=mike | lookup emaillookup.csv email OUTPUT username with no success</P> Mon, 10 Apr 2023 16:10:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/638701#M221309 dionrivera 2023-04-10T16:10:18Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639053#M221430 <P>Hi,</P><P>Try swapping your input and output fields:</P><P>index=web username=mike | lookup emaillookup.csv username output email</P><P>The lookup command takes the form:</P><P>| lookup &lt;lookup_name&gt; &lt;lookup_field_name&gt; [as &lt;event_field_name&gt;] output &lt;lookup_field_name_1&gt; [as &lt;event_field_name_1&gt;] [&lt;lookup_field_name_2&gt; [as &lt;event_field_name_2&gt;] ...]</P> Thu, 06 Apr 2023 17:24:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639053#M221430 tscroggins 2023-04-06T17:24:38Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639081#M221436 <P>Like this:<BR /><BR /><SPAN>index="web" AND username="mike"<BR /></SPAN>| lookup <SPAN>emaillookup.csv</SPAN>&nbsp;nameFieldInLookupFIle AS username OUTPUT email</P> Thu, 06 Apr 2023 19:57:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639081#M221436 woodcock 2023-04-06T19:57:03Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639221#M221488 <P>Thank you. I figured out my problem.<BR /><BR />On the query I was trying to use username=mike and trying to reference the name mike in my emaillookup.csv lookup table. However, the name in the lookup table was in the form of <A href="mailto:mike@my-site.com" target="_blank">mike@my-site.com</A>&nbsp;. I had to regex the "@my-site.com" from the name mike in order to reference mike. &nbsp;Once I was referencing mike on both the query and the lookup table, I was able to pull the fields I needed.&nbsp;<BR /><BR />Thanks for both of your recommendations</P> Fri, 07 Apr 2023 16:09:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639221#M221488 dionrivera 2023-04-07T16:09:49Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639227#M221490 <P>You can create a lookup definition and use "WILDCARD(user)" and make it "mike*" and it will match either.</P> Fri, 07 Apr 2023 16:34:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639227#M221490 woodcock 2023-04-07T16:34:11Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639671#M221666 <P>So, if I had more than one user, could I use WILDCARD(user*)?</P> Wed, 12 Apr 2023 17:18:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639671#M221666 dionrivera 2023-04-12T17:18:56Z https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639673#M221668 <P>Any user that starts with "mike" would match.</P> Wed, 12 Apr 2023 17:26:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-correlate-a-field-from-a-query-to-a-field-from-a-lookup/m-p/639673#M221668 woodcock 2023-04-12T17:26:56Z