Solved: Basic lookup command

clozach · ‎10-14-2019

Hi all,

I am curious the best way to write the following lookup query.

I have a 1 column lookup of firewall rule names. I would like to search our firewall index and use the lookup to determine which firewall rules haven't been used in the last 30 days.

Thanks for your time and help.

somesoni2 · ‎10-14-2019

Try something like this (assuming there is a field firewall_rule available in your firewall data and same field name is used in your single column lookup. )

index=yourFirewallIndex [| inputlookup firewall_rulename.csv | table firewall_rule ]
| stats count by firewall_rule 
| append [| inputlookup firewall_rulename.csv | table firewall_rule | eval count=0]
| stats max(count) as count by firewall_rule | where count=0

View solution in original post

somesoni2 · ‎10-14-2019

Try something like this (assuming there is a field firewall_rule available in your firewall data and same field name is used in your single column lookup. )

index=yourFirewallIndex [| inputlookup firewall_rulename.csv | table firewall_rule ]
| stats count by firewall_rule 
| append [| inputlookup firewall_rulename.csv | table firewall_rule | eval count=0]
| stats max(count) as count by firewall_rule | where count=0

clozach · ‎10-15-2019

Hi somesoni2,

Thanks so much! This worked. I'm not sure how to accept it as an answer since it is a comment, but I appreciate the help. If you re-post as an answer I will mark it as accepted.

Again, thank you 🙂

somesoni2 · ‎10-15-2019

Here you go.

Basic lookup command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation