https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294992#M89023 <P>I still get No results found.</P> Sun, 12 Feb 2017 15:00:12 GMT gener_yc 2017-02-12T15:00:12Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294990#M89021 <P>I have an inputlookup called hosts.csv that looks like this:</P> <PRE><CODE>host ---------- hostname1 hostname2 hostname3 hostname4 </CODE></PRE> <P>I want to list all indexes containing the value of host in raw data against that hostname. So the output I am looking for is...</P> <PRE><CODE>host index ------------------------------ hostname1 firewall web unix proxy hostname2 firewall database unix dmz hostname3 firewall proxy hostname4 firewall proxy windows </CODE></PRE> <P>I have tried using the search below which gives me matching indexes containing the hostnames in raw data. But I am not able to create a table to list the hostnames against the indexes.</P> <PRE><CODE>[|inputlookup hosts.csv|table host|rename host as search|format]|stats values(index) </CODE></PRE> <P>I tried adding <CODE>code...|lookup hosts.csv host OUTPUT host| stats values(index) by host</CODE> and get no results. Can you please help me obtain the output above?</P> <P>Thanks!</P> Fri, 10 Feb 2017 21:58:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294990#M89021 gener_yc 2017-02-10T21:58:32Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294991#M89022 <PRE> |tstats count WHERE index=* by host,index| table host index | search [|inputlookup hosts.csv] | stats values(index) by host </PRE> Sat, 11 Feb 2017 00:05:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294991#M89022 pradeepkumarg 2017-02-11T00:05:05Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294992#M89023 <P>I still get No results found.</P> Sun, 12 Feb 2017 15:00:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294992#M89023 gener_yc 2017-02-12T15:00:12Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294993#M89024 <P>does the host name in your lookup match exactly with the host names in your splunk data?</P> Sun, 12 Feb 2017 17:16:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294993#M89024 pradeepkumarg 2017-02-12T17:16:25Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294994#M89025 <P>Yes they match, even though they are part of an fqdn I can see them in raw data when I query for them using <CODE>...|rename host as search|format</CODE>.</P> <P>Also splunk produces a list of matching indices when I use the query <CODE>[|inputlookup hosts.csv|table host|rename host as search|format]|stats values(index)</CODE>.</P> <P>I just am struggling to append the index list with the hostnames from the lookup.</P> Mon, 13 Feb 2017 13:03:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-an-inputlookup-search-that-displays-table-of/m-p/294994#M89025 gener_yc 2017-02-13T13:03:40Z