https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/700095#M237593 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,<BR />But this will create a multiple fields, but I wish to have this in a single field and results duplicated as each entity. So it'll be easy for me to use lookup join<BR /><BR /></P><P>Example Dataset:</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%" height="24px">USER</TD><TD width="25%" height="24px">Rate</TD><TD width="25%" height="24px">Priority</TD></TR><TR><TD width="25%" height="24px">UX101</TD><TD width="25%" height="24px">1.4</TD><TD width="25%" height="24px">2</TD></TR><TR><TD width="25%" height="24px">UX101</TD><TD width="25%" height="24px">2.3</TD><TD width="25%" height="24px">4</TD></TR><TR><TD width="25%" height="24px">UX342</TD><TD width="25%" height="24px">4.6</TD><TD width="25%" height="24px">5</TD></TR><TR><TD width="25%" height="24px">UX515</TD><TD width="25%" height="24px">7.3</TD><TD width="25%" height="24px">1</TD></TR><TR><TD width="25%">UX515</TD><TD width="25%">2.1</TD><TD width="25%">3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Expecting Output:</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%" height="32px">USER</TD><TD width="25%" height="32px">Rate</TD><TD width="25%" height="32px">Priority</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">1.4</TD><TD width="25%" height="32px">1</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">1.4</TD><TD width="25%" height="32px">2</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">2.3</TD><TD width="25%" height="32px">3</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">2.3</TD><TD width="25%" height="32px">4</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">2.3</TD><TD width="25%" height="32px">5</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">1</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">2</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">3</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">4</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">5</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">1</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">2</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">3</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">4</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">5</TD></TR></TBODY></TABLE> Wed, 25 Sep 2024 14:45:58 GMT Thulasinathan_M 2024-09-25T14:45:58Z https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/699924#M237565 <P>Hi Splunk Experts,<BR />I've a lookup with field 'User', 'Rates' and 'Priority' (values 1 to 5). I use this lookup in my search, I wish to accomplish below Use cases. Kindly advice if it's possible.<BR /><BR />Cases:<BR />Lookup Priority value is '5', I've to get the max(Rates) from Priority Values 1 to 5.<BR />Lookup Priority value is '4', I've to get the max(Rates) from Priority Values 1 to 4.<BR />Lookup Priority value is '3', I've to get the max(Rates) from Priority Values 1 to 3.<BR />Lookup Priority value is '1', I've to get the max(Rates) from Priority Values 1.</P> Tue, 24 Sep 2024 11:17:41 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/699924#M237565 Thulasinathan_M 2024-09-24T11:17:41Z https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/699932#M237567 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253572">@Thulasinathan_M</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">| inputlookup your_lookup.csv | stats max((eval(Priority=*, Rate, 0))) AS Rate_5 max((eval(Priority&lt;5, Rate, 0))) AS Rate_4 max((eval(Priority&lt;4, Rate, 0))) AS Rate_3 max((eval(Priority&lt;2, Rate, 0))) AS Rate_1 BY User</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 24 Sep 2024 12:18:25 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/699932#M237567 gcusello 2024-09-24T12:18:25Z https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/700095#M237593 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,<BR />But this will create a multiple fields, but I wish to have this in a single field and results duplicated as each entity. So it'll be easy for me to use lookup join<BR /><BR /></P><P>Example Dataset:</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%" height="24px">USER</TD><TD width="25%" height="24px">Rate</TD><TD width="25%" height="24px">Priority</TD></TR><TR><TD width="25%" height="24px">UX101</TD><TD width="25%" height="24px">1.4</TD><TD width="25%" height="24px">2</TD></TR><TR><TD width="25%" height="24px">UX101</TD><TD width="25%" height="24px">2.3</TD><TD width="25%" height="24px">4</TD></TR><TR><TD width="25%" height="24px">UX342</TD><TD width="25%" height="24px">4.6</TD><TD width="25%" height="24px">5</TD></TR><TR><TD width="25%" height="24px">UX515</TD><TD width="25%" height="24px">7.3</TD><TD width="25%" height="24px">1</TD></TR><TR><TD width="25%">UX515</TD><TD width="25%">2.1</TD><TD width="25%">3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Expecting Output:</P><TABLE border="1" width="56.2500014464221%"><TBODY><TR><TD width="25%" height="32px">USER</TD><TD width="25%" height="32px">Rate</TD><TD width="25%" height="32px">Priority</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">1.4</TD><TD width="25%" height="32px">1</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">1.4</TD><TD width="25%" height="32px">2</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">2.3</TD><TD width="25%" height="32px">3</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">2.3</TD><TD width="25%" height="32px">4</TD></TR><TR><TD width="25%" height="32px">UX101</TD><TD width="25%" height="32px">2.3</TD><TD width="25%" height="32px">5</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">1</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">2</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">3</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">4</TD></TR><TR><TD width="25%" height="32px">UX342</TD><TD width="25%" height="32px">4.6</TD><TD width="25%" height="32px">5</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">1</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">2</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">3</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">4</TD></TR><TR><TD width="25%" height="32px">UX515</TD><TD width="25%" height="32px">7.3</TD><TD width="25%" height="32px">5</TD></TR></TBODY></TABLE> Wed, 25 Sep 2024 14:45:58 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Filter-from-Lookup/m-p/700095#M237593 Thulasinathan_M 2024-09-25T14:45:58Z