https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29777#M6019 <P>Awesome, thank you. I think the time-based lookup is what I'm looking for. I had some luck with the append=t flag as well. Thanks for your help! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Fri, 10 May 2013 17:43:42 GMT deadbits 2013-05-10T17:43:42Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29775#M6017 <P>I am having some trouble performing a search across multiple lookup tables. I have several csv's as lookup tables (let's say table1.csv, table2.csv, table3.csv), all of which have the same field names with different data. I am trying to get a trending view of this data over time - as each lookup table covers one week's worth of data.</P> <P>Q: Is there a way to search multiple lookup tables and do a stats count by X across all the tables within the same search?</P> <P>A search for an individual table works fine. for example: |inputlookup table2.csv | stats count by field1</P> <P>a few of the searches I've tried are:<BR />search one: [ | inputlookup table1.csv | stats count by field1 ] [ |inputlookup table2.csv | stats count by field1]<BR />search two: |inputlookup table1.csv |inputlookup table2.csv | stats count by field1</P> <P>Am I going about this the complete wrong way or is what I'm trying to do simply not possible? Any help at all would be greatly appreciated!</P> Thu, 30 Mar 2023 15:28:20 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29775#M6017 deadbits 2023-03-30T15:28:20Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29776#M6018 <P>For the question as asked, something like this might work for you:</P> <PRE><CODE>| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1 </CODE></PRE> <P>However, you probably want to differentiate between the lookups, which you could do by having a second field (<CODE>lookup_name</CODE>) like so:</P> <PRE><CODE>| inputlookup table1.csv | inputlookup append=t table2.csv | inputlookup append=t table3.csv | stats count by field1 lookup_name </CODE></PRE> <P>Depending on your use case you may want to use a <A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourevents">time-based lookup</A> combining all of the results.</P> Fri, 10 May 2013 08:36:48 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29776#M6018 dart 2013-05-10T08:36:48Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29777#M6019 <P>Awesome, thank you. I think the time-based lookup is what I'm looking for. I had some luck with the append=t flag as well. Thanks for your help! <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Fri, 10 May 2013 17:43:42 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29777#M6019 deadbits 2013-05-10T17:43:42Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29778#M6020 <P>Thanks @dart this is awesome! How about this one:</P> <PRE><CODE>| inputlookup table1.csv | append [| inputlookup table2.csv] [| inputlookup table3.csv] </CODE></PRE> Thu, 22 Nov 2018 01:15:04 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29778#M6020 ipark_splunk 2018-11-22T01:15:04Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29779#M6021 <P>Say I have two lookup table1.csv and table2.csv and both has different fields. Now I want to include table1.csv but exclude results from msin search for column present on table 2.csv. how to do that</P> Tue, 14 Apr 2020 12:40:34 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29779#M6021 ksharma7 2020-04-14T12:40:34Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29780#M6022 <P>@ksharma7, This question is nearly 7 years old with an accepted answer. Please post a new question describing your problem.</P> Tue, 14 Apr 2020 13:21:31 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/29780#M6022 richgalloway 2020-04-14T13:21:31Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/636730#M221131 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/970">@dart</a>&nbsp;&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/38016">@deadbits</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/57969">@ksharma7</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/151308">@ipark_splunk</a>&nbsp;</P><P><SPAN>1 Question:</SPAN></P><P>whatever example you shared thats great and working but what about multiple lookups if i wanted to search , for example if i am having 20 lookups like table1.csv to table20.csv with different name , Actually we can do appending for each of one, need your help here.</P><P>2 Question:</P><P>whatever result we are receiving in that i wanted to add lookup name as well because my all lookups are having different name with different name.<BR /><BR />Could you please help me on this ?</P> Thu, 30 Mar 2023 17:44:57 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-search-multiple-lookup-tables-and-do-a-stats/m-p/636730#M221131 asharma737 2023-03-30T17:44:57Z