https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175335#M50325 <P>The answer from @lguinn is incorrect; your lookup should work fine but there were a few tweaks that should make your stuff work (better), <EM>PROVIDED</EM> your lookup table has a field called <EM>exactly</EM> <CODE>crit_threshold</CODE> (it might actually be, for example, <CODE>crit_threshhold</CODE>); try this:</P> <PRE><CODE>index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space" | eval pct_used=round(100-Value,2) | stats last(pct_used) AS pct_used BY host instance | lookup disk_thresholds host mount AS instance | eval crit_threshold=coalesce(crit_threshold,70) | where pct_used &gt; crit_threshold </CODE></PRE> Sat, 18 Jul 2015 05:26:12 GMT woodcock 2015-07-18T05:26:12Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175333#M50323 <P>I'm trying to match event data with preset limits recorded in a .csv file.</P> <P>My search looks for a host and its percentage usage of disk space. I want to pair it with an arbitrarily set maximum % used that varies by server.<BR /> e.g. Host BUMBLEBEE can have 95% disk usage, but ITCHY can only have 90%.</P> <P>How do I get lookup to pair the maximum usage value from the .csv file to the event data that shows the % disk space used?</P> <P>This is my search:</P> <PRE><CODE>index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space" |eval "pct_used"=round(100-Value,2)|eval mount=instance |eval uniq=host."_".mount|dedup uniq | stats last("pct_used") AS pct_used by host,mount |lookup disk_thresholds host,mount | eval crit_threshold=coalesce(crit_threshold,70) | where pct_used &gt; crit_threshold` </CODE></PRE> Wed, 24 Jun 2015 18:30:10 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175333#M50323 mdennisAPFCU 2015-06-24T18:30:10Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175334#M50324 <P>The logic of your search is fine. A lookup does not have to match an "event" per se, it matches against a field. </P> <P>The syntax of your lookup command is wrong. It should be</P> <PRE><CODE>| lookup disk_thresholds host mount OUTPUT crit_threshold </CODE></PRE> <P>Assuming that you have uploaded a CSV file and setup a lookup named disk_thresholds with the appropriate fields.</P> <P>Here is a <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Usefieldlookupstoaddinformationtoyourevents">step by step guide to setting up a lookup</A>.</P> Wed, 24 Jun 2015 20:14:26 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175334#M50324 lguinn2 2015-06-24T20:14:26Z https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175335#M50325 <P>The answer from @lguinn is incorrect; your lookup should work fine but there were a few tweaks that should make your stuff work (better), <EM>PROVIDED</EM> your lookup table has a field called <EM>exactly</EM> <CODE>crit_threshold</CODE> (it might actually be, for example, <CODE>crit_threshhold</CODE>); try this:</P> <PRE><CODE>index=perfmon source="perfmon:logicaldisk" instance!=_Total instance!=HarddiskVolume1 counter="% Free Space" | eval pct_used=round(100-Value,2) | stats last(pct_used) AS pct_used BY host instance | lookup disk_thresholds host mount AS instance | eval crit_threshold=coalesce(crit_threshold,70) | where pct_used &gt; crit_threshold </CODE></PRE> Sat, 18 Jul 2015 05:26:12 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-extract-a-field-using-quot-lookup-quot-and-a-csv-file/m-p/175335#M50325 woodcock 2015-07-18T05:26:12Z