Hi, Thanks for the answer, It is quite helpful for me as well. However, I have a few questions here:-
1. create a lookup called e.g. mylookup.csv; : Do you mean lookup table and lookup defination both?
2. I used similarly | outputlookup mylookup.csv with 2 fields field1 and field2 then I tried to use | inputlookup mylookup.csv | table field1 field 2 But it is giving me just the field 2 and field 1 is empty. Is there any specific way to get both fields
3. in my_search I have a field search_field which has the same value as field1. I need to match both field values and if they are the same, I need to extract the related field2 value in my search.

Hi bharathkumarnec,
1. yes, lookup table and lookup defination both, if you like you could also create an automatic lookup but I don't like this because there's the risk to lose control on your searches.
2. beware to the field names, usually this is the problem! anyway you can use all the fields you like in your subsearch, remember only that you cannot have more than 50,000 results in your subsearch.
3. use eval to give the value of field1 also to search_field ( [ | inputlookup my_lookup.csv | eval search_field=field1 | fields field1 search-field] ), the only thing to remember is that the field names that you want to use to match MUST be the same in search and subsearch, otherwise it doesn't run.

I hope to be helpful for you.

Bye.
Giuseppe

Hi, Thanks a lot for this answer. I completely forgot to comment before. Your inputs are really helpful for me to understand it.

It was a pleasure!
Bye.
Giuseppe