https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309140#M92717 <P>Clever Idea.</P> <P>May i code a lookup with 2 parameters as input?<BR /> I imagine something like:</P> <PRE><CODE>| lookup lookupfile.csv Date as Date, Cluster as Cluster OUTPUTNEW &lt;&lt;FIELD&gt;&gt;as &lt;&lt;FIELD&gt;&gt; </CODE></PRE> <P>Correct?</P> <P>Tks!<BR /> Carmine</P> Thu, 18 Jan 2018 10:04:36 GMT CarmineCalo 2018-01-18T10:04:36Z https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309138#M92715 <P>Splunkers!</P> <P>I'm facing the following use case.</P> <P>I've a search that return fields like:<BR /> - date (month/year)<BR /> - AppID<BR /> - Availability Cluster <BR /> - ...</P> <P>In a lookup table, I've the connection b/w date (month/Year) and Availability Clusters, like</P> <P>Date Cluster 1 Cluster 2 Cluster 3<BR /> 2016-01 100 200 300<BR /> 2016-02 110 210 310<BR /> 2016-03 120 220 320<BR /> ....</P> <P>Availability Clusters in the search and in the lookup have the same domain.</P> <P>Now, i need the lookup in the table the value matching both date and Availability Cluster fields related to the events (so the column to be lookup is variable, depending on "Availability Cluster" field content).<BR /> How can i do?</P> <P>Currently the lookup looks something like, don't know how to complete the statement</P> <P>lookup lookupfile.csv Date as Date OUTPUTNEW ???</P> <P>Ideas/ suggestions are really appreciated,<BR /> Tks!</P> <P>Carmine</P> Wed, 17 Jan 2018 13:56:25 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309138#M92715 CarmineCalo 2018-01-17T13:56:25Z https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309139#M92716 <P>Do you control the format/generation of the lookup table? If yes, I would suggest to make the lookup table more linear with just 3 columns, like this</P> <PRE><CODE>Date,Cluster,Value 2016-01,Cluster 1,100 2016-01,Cluster 2,200 2016-01,Cluster 3,300 .... </CODE></PRE> <P>You'd also need to ensure that timestamp format in Date column matches your data exactly.<BR /> That way it'll be easy to lookup your data (<CODE>...| lookup lookupfile.csv Date as Date Cluster as "Availability Cluster" OUTPUT Value</CODE>).</P> <P>If you can't try this workaround (less efficient)</P> <PRE><CODE>your current search giving fields date, AppID, "Availability Cluster"... | join type=left Date "Availability Cluster" [| inputlookup lookupfile.csv| untable Date Cluster Value | rename Cluster as "Availability Cluster"] </CODE></PRE> Wed, 17 Jan 2018 20:03:27 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309139#M92716 somesoni2 2018-01-17T20:03:27Z https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309140#M92717 <P>Clever Idea.</P> <P>May i code a lookup with 2 parameters as input?<BR /> I imagine something like:</P> <PRE><CODE>| lookup lookupfile.csv Date as Date, Cluster as Cluster OUTPUTNEW &lt;&lt;FIELD&gt;&gt;as &lt;&lt;FIELD&gt;&gt; </CODE></PRE> <P>Correct?</P> <P>Tks!<BR /> Carmine</P> Thu, 18 Jan 2018 10:04:36 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309140#M92717 CarmineCalo 2018-01-18T10:04:36Z https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309141#M92718 <P>yes, so you can write as <BR /> your current search giving fields date, AppID, "Availability Cluster"...| lookup lookupfile.csv Date as Date, Cluster as "Availability Cluster" OUTPUTNEW Value </P> Thu, 18 Jan 2018 10:33:20 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-with-variable-Output/m-p/309141#M92718 493669 2018-01-18T10:33:20Z