https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241352#M71774 <P>I am trying to run with the below query but no result found</P> <P>index="indexname" [ | inputlookup file1.csv where (Allow='Y')| fields Application, Allow | rename Application as App ] | table host, App</P> <P>Also tried like this : <BR /> index="indexname" [ | inputlookup file1.csv | fields Application, Allow | rename Application as App | search Allow='Y' ] | table host, App<BR /> No result found. </P> <P>Note: the reason I use <STRONG>rename Application as App</STRONG> as there is no fieldname by Application in raw event. The field Application is only in my lookup file as a column header. </P> <P>Anything I am missing out in the query, please help </P> <P>Thanks &amp; Regards,<BR /> Binay Agarwal </P> Wed, 18 Jan 2017 11:15:41 GMT bagarwal 2017-01-18T11:15:41Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241350#M71772 <P>Hi, </P> <P>I have created a lookup file name file1.csv . There are two columns in the file "Application" and "Allow" and looks like below . <BR /> Application, Allow<BR /> Paint, Y<BR /> abc*, Y<BR /> xyz*,<BR /> aaa*, Y<BR /> zzz, </P> <P>Now, I want to run a query to get the output of application name where Allow = Y. </P> <P>Current Query: <BR /> index="index_name" [ | inputlookup | table Application | rename Application as App ] | table host, App</P> <P>I am very new in working with lookup and would be really helpful if anyone can suggest changes need to be made in the query to match the where condition and get the result or any other way to get the desired result. </P> <P>Thanks in advance</P> <P>Best Regards,<BR /> Binay Agarwal</P> Tue, 29 Sep 2020 12:28:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241350#M71772 bagarwal 2020-09-29T12:28:04Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241351#M71773 <P>You can use <CODE>where</CODE> clause in inputlookup like </P> <PRE><CODE>|inputlookup geo_attr_countries.csv where (country="Austria")|table continent subregion </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Inputlookup#Optional_arguments">https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Inputlookup#Optional_arguments</A></P> <P>If you want to use it together with another search query , try just <CODE>lookup</CODE> after defining the lookup definitions. For eg: if you have a field <CODE>Application</CODE> in your search query, you can try <CODE>index=indexname|fields Application|lookup mylookupname|search Allow="Y"</CODE><BR /> where mylookupname is the lookup definition you created out of your file</P> <P>Reference : <A href="http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Lookup">http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Lookup</A></P> Wed, 18 Jan 2017 09:20:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241351#M71773 renjith_nair 2017-01-18T09:20:46Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241352#M71774 <P>I am trying to run with the below query but no result found</P> <P>index="indexname" [ | inputlookup file1.csv where (Allow='Y')| fields Application, Allow | rename Application as App ] | table host, App</P> <P>Also tried like this : <BR /> index="indexname" [ | inputlookup file1.csv | fields Application, Allow | rename Application as App | search Allow='Y' ] | table host, App<BR /> No result found. </P> <P>Note: the reason I use <STRONG>rename Application as App</STRONG> as there is no fieldname by Application in raw event. The field Application is only in my lookup file as a column header. </P> <P>Anything I am missing out in the query, please help </P> <P>Thanks &amp; Regards,<BR /> Binay Agarwal </P> Wed, 18 Jan 2017 11:15:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241352#M71774 bagarwal 2017-01-18T11:15:41Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241353#M71775 <P>Hi Binay,</P> <P>Here is what I have done , <BR /> - Created an input lookup file similar to yours (Application, Allow)<BR /> - Uploaded the lookup file<BR /> - Added a lookup definition myapplookup as file based<BR /> - Created a dummy search to simulate your search and lookup in the lookup file to get the rest of the fields</P> <PRE><CODE>|stats count |eval App="Paint,abc*,xyz*,zzz"|eval Host="Host1,Host2,Host3,Host4"|makemv delim="," App|makemv delim="," Host|mvexpand App|mvexpand Host |table Host App|rename App as Application|lookup myapplookup Application|search Allow="Y" </CODE></PRE> <P>Ignore the first line of the search , it's just a dummy to simulate.</P> Thu, 19 Jan 2017 02:20:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241353#M71775 renjith_nair 2017-01-19T02:20:25Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241354#M71776 <P>hi,if csv file contain src_ip and src_prt,i need all data except src_ip mentioned in the csv file..what will be the lookup query ?</P> Wed, 30 Sep 2020 01:36:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Where-condition-in-lookup-csv-file/m-p/241354#M71776 pinkyy 2020-09-30T01:36:42Z