https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750469#M242371 <P>Hello all,&nbsp;<BR /><BR />I am working on an Splunk query which suppose to filter some logs by utilizing data from lookup. Consider a field called host. I have list of host stored on an lookup (let's call the lookup as hostList.csv). Now, I want to retrieve the list of servers from the hostList.csv lookup. And then filter the field host with the retrieved set of list.&nbsp;<BR /><BR />Note - I don't want use map command for this.&nbsp;<BR /><BR />If is there any other way of pull off this logic. Please help me with example query and explanation.&nbsp;<BR /><BR />Thank you!</P> Fri, 25 Jul 2025 17:22:55 GMT KishoreSrini 2025-07-25T17:22:55Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750469#M242371 <P>Hello all,&nbsp;<BR /><BR />I am working on an Splunk query which suppose to filter some logs by utilizing data from lookup. Consider a field called host. I have list of host stored on an lookup (let's call the lookup as hostList.csv). Now, I want to retrieve the list of servers from the hostList.csv lookup. And then filter the field host with the retrieved set of list.&nbsp;<BR /><BR />Note - I don't want use map command for this.&nbsp;<BR /><BR />If is there any other way of pull off this logic. Please help me with example query and explanation.&nbsp;<BR /><BR />Thank you!</P> Fri, 25 Jul 2025 17:22:55 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750469#M242371 KishoreSrini 2025-07-25T17:22:55Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750471#M242372 <LI-CODE lang="markup">index=* [| inputlookup hostList.csv | table host ]</LI-CODE> Fri, 25 Jul 2025 17:55:11 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750471#M242372 ITWhisperer 2025-07-25T17:55:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750472#M242373 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,&nbsp;<BR /><BR />I have tried this method. The host name on the log is structured like "hostname.abcgroup.com". I want to search like, "hostname*". Since, the hostnames are retrieved from lookup it's working as a static string search. Not filtering the host. I tried like this after get the data from lookup,<BR /><BR />| eval host_pattern=host."*"<BR />| table host_pattern<BR /><BR />But, this is also not working. I guess the Splunk may consider the wildcard * as string. Since, I am filtering like this. Any suggestion for this...</P> Fri, 25 Jul 2025 18:31:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750472#M242373 KishoreSrini 2025-07-25T18:31:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750475#M242374 <P>Try something like this</P><LI-CODE lang="markup">index=* [| inputlookup hostList.csv | eval string="host=".host."*" | table string | format ]</LI-CODE> Mon, 28 Jul 2025 12:31:23 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750475#M242374 ITWhisperer 2025-07-28T12:31:23Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750557#M242375 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;,&nbsp;<BR /><BR />Thank your help.&nbsp;<BR /><BR /><SPAN>With your suggestion, I also included a format command to format the output with "OR," which is now working.<BR /><BR /></SPAN></P><LI-CODE lang="markup">index=* [| inputlookup hostList.csv | eval string="host=".host."*" | table string | format]</LI-CODE><P><SPAN><BR /></SPAN>Once again, Thank you for the help&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;.</P> Mon, 28 Jul 2025 12:22:14 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750557#M242375 KishoreSrini 2025-07-28T12:22:14Z https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750558#M242376 <P>I have updated my response (I couldn't remember if the default was to format with "OR" or not!)</P> Mon, 28 Jul 2025 12:32:06 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-query-lookup-utilization/m-p/750558#M242376 ITWhisperer 2025-07-28T12:32:06Z