https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707048#M239195 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/274955">@secure</a>&nbsp;,</P><P>if you want to filter results from main search using the Event_Codes from the lookup, you must use a subsearch:</P><LI-CODE lang="markup">index=abc | rex field=data "\|(?&lt;data&gt;[^\.|]+)?\|(?&lt;Event_Code&gt;[^\|]+)?\|" | search [ | inputlookup dataeventcode.csv | fields Event_Code ] | timechart span=1d dc(Event_Code)</LI-CODE><P>If you extract the Event_Code field before the search as a field, you can put the subsearch in the main search.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 17 Dec 2024 15:31:55 GMT gcusello 2024-12-17T15:31:55Z https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707046#M239194 <P class="lia-align-justify">Hi All</P> <P class="lia-align-justify">i have a csv look up with below data</P> <P class="lia-align-justify"><FONT size="3">Event_Code</FONT></P> <P class="lia-align-justify"><FONT size="3">AUB01</FONT></P> <P class="lia-align-justify"><FONT size="3">AUB36</FONT></P> <P class="lia-align-justify"><FONT size="3">BUA12</FONT></P> <P class="lia-align-justify"><FONT size="3">i want to match it with a dataset which has field name&nbsp; Event_Code with several values i need to extract the count of the event code per day from the matching csv lookup&nbsp;</FONT></P> <P class="lia-align-justify"><FONT size="3">my query </FONT></P> <LI-CODE lang="markup">index=abc |rex field=data "\|(?&lt;data&gt;[^\.|]+)?\|(?&lt;Event_Code&gt;[^\|]+)?\|" | lookup dataeventcode.csv Event_Code | timechart span=1d dc(Event_Code)</LI-CODE> <P>however the result is showing all 100 count per day instaed of matching the event code from the CSV and then give the total count per day</P> Tue, 17 Dec 2024 19:44:01 GMT https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707046#M239194 secure 2024-12-17T19:44:01Z https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707048#M239195 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/274955">@secure</a>&nbsp;,</P><P>if you want to filter results from main search using the Event_Codes from the lookup, you must use a subsearch:</P><LI-CODE lang="markup">index=abc | rex field=data "\|(?&lt;data&gt;[^\.|]+)?\|(?&lt;Event_Code&gt;[^\|]+)?\|" | search [ | inputlookup dataeventcode.csv | fields Event_Code ] | timechart span=1d dc(Event_Code)</LI-CODE><P>If you extract the Event_Code field before the search as a field, you can put the subsearch in the main search.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 17 Dec 2024 15:31:55 GMT https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707048#M239195 gcusello 2024-12-17T15:31:55Z https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707050#M239197 <P>The query checks the lookup file, but then does nothing with it.&nbsp; That's why all events are counted.&nbsp; Try this</P><LI-CODE lang="markup">index=abc |rex field=data "\|(?&lt;data&gt;[^\.|]+)?\|(?&lt;Event_Code&gt;[^\|]+)?\|" | lookup dataeventcode.csv Event_Code OUTPUT Event_Code as found | where isnotnull(found) | timechart span=1d dc(Event_Code)</LI-CODE><P>If the Event_Code field did not need to be extracted via <FONT face="courier new,courier">rex</FONT> then we could have used <FONT face="courier new,courier">inputlookup</FONT> to give Splunk a list of codes to search for.</P> Tue, 17 Dec 2024 15:36:33 GMT https://community.splunk.com/t5/Splunk-Search/data-and-lookup-field-problem/m-p/707050#M239197 richgalloway 2024-12-17T15:36:33Z