https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302528#M91051 <P>Give this a try</P> <PRE><CODE>your currrent search giving fields instance, a field for each check_ids and profile | eval temp=instance."#".profile | fields - instance profile | untable temp Check_ID Val | eval Profile=mvindex(split(temp,"#"),1) | lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2 | eval Val2=if(isnull(Val2),"Unknown",null()) | eval Val=coalesce(Val,Val2) | xyseries temp Check_ID Val | rex field=temp "(?&lt;instance&gt;.+)#(?&lt;profile&gt;.+)" | fields - temp | table instance * profile </CODE></PRE> Thu, 11 Jan 2018 19:44:14 GMT somesoni2 2018-01-11T19:44:14Z https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302526#M91049 <P>Hi Team,</P> <P>This appears to be a complex scenario to me to implement on Splunk</P> <P>Below is the table i have on Splunk</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4132i09096A0B19F14500/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>In the above table, for check_ids (1.1.10, 1.1.14.... and so on ) there are multiple blank fields and i need to fill the blanks with a information in the lookup and condition.</P> <P>Below is the lookup file.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4133i09AA00901732169C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>In the lookup file, for each profile what all check_id are present is mentioned.</P> <P>Here comes the problem statement.</P> <P>In the first image above i want to fill the blanks to "unknown" if for that respective profile and check_id there is no entry in the lookup table. </P> <P>For example - In the first row, the profile is "coreos-level-1" and there is blank for "<STRONG>1.1.10</STRONG>", "<STRONG>1.1.14</STRONG>", both these entries are not there in the lookup, so i want to replace blank with "Unknown", whereas if the check_id exists in the lookup then nothing needs to be filled and it can remain blank.</P> <P>Can anyone help me with a logic to get this done in Splunk?</P> Thu, 11 Jan 2018 19:25:13 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302526#M91049 ashish9433 2018-01-11T19:25:13Z https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302527#M91050 <P>How was the top table created? Being in that format definitely complicates your search, so if you instead have access to the data used to create that table it may be easier to start with the raw data instead.</P> <P>Also, please include these samples in text form, not screenshots. It's very difficult to work with sample data when you have to manually enter it in.</P> Thu, 11 Jan 2018 19:39:52 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302527#M91050 micahkemp 2018-01-11T19:39:52Z https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302528#M91051 <P>Give this a try</P> <PRE><CODE>your currrent search giving fields instance, a field for each check_ids and profile | eval temp=instance."#".profile | fields - instance profile | untable temp Check_ID Val | eval Profile=mvindex(split(temp,"#"),1) | lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2 | eval Val2=if(isnull(Val2),"Unknown",null()) | eval Val=coalesce(Val,Val2) | xyseries temp Check_ID Val | rex field=temp "(?&lt;instance&gt;.+)#(?&lt;profile&gt;.+)" | fields - temp | table instance * profile </CODE></PRE> Thu, 11 Jan 2018 19:44:14 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302528#M91051 somesoni2 2018-01-11T19:44:14Z https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302529#M91052 <P>This guidance, made me get what i was looking for! Thanks</P> Fri, 12 Jan 2018 16:03:57 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Lookup/m-p/302529#M91052 ashish9433 2018-01-12T16:03:57Z