https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700961#M237807 <P>Try this one</P><P>&nbsp;</P><LI-CODE lang="markup">index=&lt;index&gt; [inputlookup lookup_table | search NAME = "Toronto" | table ID]</LI-CODE><P>&nbsp;</P> Fri, 04 Oct 2024 01:25:03 GMT jg91 2024-10-04T01:25:03Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700953#M237802 <P>I have a lookup table that we update on daily basis with two fields that are relevant here, NAME and ID.&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">NAME</TD><TD width="50%">ID</TD></TR><TR><TD width="50%">Toronto</TD><TD width="50%">765</TD></TR><TR><TD width="50%">Toronto</TD><TD width="50%">1157</TD></TR><TR><TD width="50%">Toronto</TD><TD width="50%">36</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I need to pull data from an index and filter for these three IDs. Normally I would just do&nbsp;</P><PRE>&lt;base search&gt; <BR />| lookup lookup_table ID OUTPUT NAME <BR />| where NAME = "Toronto"</PRE><P>This works, but the search takes forever since the base search is pulling records from everywhere, and filtering afterward.&nbsp; I'm wondering if it's possible to do something like this (psuedo code search incoming)</P><PRE>index=&lt;index&gt; ID IN (<BR /> |[inputlookup lookup_table where NAME = "Toronto"])</PRE><P>Basically, I'm trying to save time by not pulling all the records at the beginning and instead filter on a dynamic value that I have to grab from a lookup table.&nbsp;</P> Fri, 04 Oct 2024 00:37:50 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700953#M237802 DATT 2024-10-04T00:37:50Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700956#M237804 <P>This is Splunk. &nbsp;The answer is always yes:-) &nbsp;In this case, it's much simpler than you think:</P><LI-CODE lang="markup">index=&lt;index&gt; [inputlookup lookup_table where NAME = "Toronto" | fields ID]</LI-CODE><P>&nbsp;</P> Fri, 04 Oct 2024 00:52:48 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700956#M237804 yuanliu 2024-10-04T00:52:48Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700960#M237806 <P>&nbsp;</P><P>&nbsp;</P><P>I think we should use <U><FONT face="tahoma,arial,helvetica,sans-serif">table</FONT></U> instead of <U><FONT face="tahoma,arial,helvetica,sans-serif">fields</FONT></U>.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 04 Oct 2024 01:27:18 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700960#M237806 jg91 2024-10-04T01:27:18Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700961#M237807 <P>Try this one</P><P>&nbsp;</P><LI-CODE lang="markup">index=&lt;index&gt; [inputlookup lookup_table | search NAME = "Toronto" | table ID]</LI-CODE><P>&nbsp;</P> Fri, 04 Oct 2024 01:25:03 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700961#M237807 jg91 2024-10-04T01:25:03Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700963#M237809 <P>No difference with inputlookup. fields is usually preferred if working with an index search that fetches actual events.</P> Fri, 04 Oct 2024 01:43:15 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/700963#M237809 yuanliu 2024-10-04T01:43:15Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/701023#M237826 <P>This worked for me!&nbsp; I'm kind of surprised how close my psuedo search was to the right answer!&nbsp;</P><P>&nbsp;</P><P>I did modify this a little to use `search` instead of `where` so that I could add a dashboard token to this query as well.&nbsp;&nbsp;</P> Fri, 04 Oct 2024 16:31:15 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/701023#M237826 DATT 2024-10-04T16:31:15Z https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/701025#M237828 <P>You can still use token in that where clause. &nbsp;In fact, <U>where</U> in an inputlookup uses the same syntax as search term, unlike&nbsp;the <FONT face="andale mono,times">where</FONT> command that requires an eval expression.</P> Fri, 04 Oct 2024 16:50:25 GMT https://community.splunk.com/t5/Splunk-Search/Using-a-lookup-table-in-a-base-search/m-p/701025#M237828 yuanliu 2024-10-04T16:50:25Z