https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250097#M74666 <P>Hi @j_partsch</P> <P>Glad you found an answer to your question through @ntaylorsplunk <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Please don't forget to resolve the post by clicking "Accept" directly below the answer. </P> <P>I noticed you gave sundareshr a downvote for his attempted answer, but please note that for voting etiquette in this forum, it's best to only use downvoting for answers/suggestions that could potentially do harm to your environment. If an answer is helpful, it's encouraged to upvote it and that will already bump it up in the list of answers. If an attempted answer didn't get you what you needed, then no need to downvote someone for simply trying to help you out. We want to encourage community oriented behavior, not deter people from trying to help. </P> <P>For more info in how voting etiquette works in this community, feel free to check out the discussion on this previous Splunk Answers post.<BR /> <A href="https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html">https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html</A></P> <P>Cheers</P> Tue, 30 Aug 2016 22:50:24 GMT ppablo 2016-08-30T22:50:24Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250091#M74660 <P>I apologize if this has already been answered, but I looked through numerous inquiries on answers.splunk.com and did not find one to match my issue. I have a CSV lookup table of CustID, CustName, src_ip. I am charting the top 10 accesses by scr_ip over a time period. If the src_ip is in the lookup table, I want to display the CustName, else display src_ip. </P> <P>CustID,CustName,src_ip<BR /> 99999,Customer1,123.123.123.123<BR /> 88888,Customer2,123.45.67.8<BR /> 77777, Customer3,123.67.8.3<BR /> ...</P> <P>This is my search:</P> <PRE><CODE>sourcetype=access_combined | lookup TestIPs.csv src_ip OUTPUT CustName | chart count over CustName| sort -count limit=10 </CODE></PRE> <P>This results in a chart of only the Customer hits, but does not show any information from hits from non-customers. Theoretically, non-customer could be in the top 10 site users.</P> <P>Sample Output</P> <PRE><CODE>CustName count Customer3 10 Customer1 6 Customer2 3 </CODE></PRE> <P>Desired Output</P> <PRE><CODE>CustName count 111.222.333.4 20 1.2.3.4 15 Customer3 10 4.9.1.6 7 Customer1 6 Customer2 3 1.1.1.1 2 1.2.3.45 1 2.3.4.5 1 3.5.7.9 1 </CODE></PRE> Tue, 29 Sep 2020 10:45:20 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250091#M74660 j_partsch 2020-09-29T10:45:20Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250092#M74661 <P>Try this</P> <PRE><CODE>sourcetype=access_combined | lookup TestIPs.csv src_ip OUTPUT CustName | eval CustName=coalesce(CustName, src_ip) | chart count over CustName| sort -count limit=10 </CODE></PRE> Thu, 25 Aug 2016 16:20:21 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250092#M74661 sundareshr 2016-08-25T16:20:21Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250093#M74662 <P>This did not work, every record shows src_ip in the CustName field now including for customers, there are no customer names shown.</P> Thu, 25 Aug 2016 16:55:53 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250093#M74662 j_partsch 2016-08-25T16:55:53Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250094#M74663 <P>Try this instead</P> <PRE><CODE>sourcetype=access_combined | lookup TestIPs.csv src_ip OUTPUT CustName | eval CustName=if(len(CustName) &gt; 2, CustName, src_ip) | chart count over CustName| sort -count limit=10 </CODE></PRE> Thu, 25 Aug 2016 17:25:03 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250094#M74663 ntaylorsplunk 2016-08-25T17:25:03Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250095#M74664 <P>This works! Thank you very much ntaylorsplunk!!!!</P> Thu, 25 Aug 2016 17:31:01 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250095#M74664 j_partsch 2016-08-25T17:31:01Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250096#M74665 <P>I downvoted this post because this did not work, every record shows src_ip in the custname field now including for customers, there are no customer names shown.</P> Thu, 25 Aug 2016 17:33:49 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250096#M74665 j_partsch 2016-08-25T17:33:49Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250097#M74666 <P>Hi @j_partsch</P> <P>Glad you found an answer to your question through @ntaylorsplunk <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Please don't forget to resolve the post by clicking "Accept" directly below the answer. </P> <P>I noticed you gave sundareshr a downvote for his attempted answer, but please note that for voting etiquette in this forum, it's best to only use downvoting for answers/suggestions that could potentially do harm to your environment. If an answer is helpful, it's encouraged to upvote it and that will already bump it up in the list of answers. If an attempted answer didn't get you what you needed, then no need to downvote someone for simply trying to help you out. We want to encourage community oriented behavior, not deter people from trying to help. </P> <P>For more info in how voting etiquette works in this community, feel free to check out the discussion on this previous Splunk Answers post.<BR /> <A href="https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html">https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html</A></P> <P>Cheers</P> Tue, 30 Aug 2016 22:50:24 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250097#M74666 ppablo 2016-08-30T22:50:24Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250098#M74667 <P>Thank you for the pointers. I was unaware of the proper-etiquette on answers.splunk.com.</P> Wed, 31 Aug 2016 11:47:34 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250098#M74667 j_partsch 2016-08-31T11:47:34Z https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250099#M74668 <P>No problem. Glad you got the help you needed from the community <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 13 Sep 2016 00:11:55 GMT https://community.splunk.com/t5/Splunk-Search/If-a-value-is-not-in-a-lookup-table-can-I-return-that-value-as/m-p/250099#M74668 ppablo 2016-09-13T00:11:55Z