Solved: CSV Lookup for search query

Abdulm1 · ‎02-12-2020

I have a search query like this

index=ppt sm.to{}="12-12-518@dt.com" OR sm.to{}="050920@cp.com" |table sm.to{} sm.stat

and I want to use a csv lookup instead because I have more email address to use and I want the result to show this two fields .

My csv contains this
sm.to{}
050920@cp.com
12-12-518@dt.com
774211@PP.com
859@dat.com
20909@PP.com
07548@pp.com

Can anyone help with a lookup search query for me . thanks.

manjunathmeti · ‎02-12-2020

Try this:

index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = *

View solution in original post

manjunathmeti · ‎02-12-2020

Try this:

index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = *

Abdulm1 · ‎02-12-2020

am actaully using inputlookup so i used the below command but it did not work

index=proofpoint sourcetype=pps_maillog | inputlookup smto OUTPUT sm.to{} as sm_to | search sm_to = *

I tried the following as well but did not work
index=ppt
| eval Recipients='sm.to{}'
| table Recipients
| search Recipients = "*"
| join type=inner Recipients
[| inputlookup smto
| table sm.to{} sm.stat]

Abdulm1 · ‎02-12-2020

Thanks @manjunathmeti it worked perfectly.

index=ppt | lookup .csv sm.to{} OUTPUT sm.to{} as sm_to | search sm_to = * | table sm_to sm.stat

manjunathmeti · ‎02-12-2020

May be it's due to field name, rename sm.to{} to smto in csv file and search query and try.

CSV Lookup for search query

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

CSV Lookup for search query

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...