Hello,

Here is an example of my csv - first three lines:

sourceHost
web-a01
a02

I have given the lookup global permissions, and when I execute "inputlookup os-seek.csv, I get all 133 results I expect. The following query is from the Splunk Deployment Manager. I want to filter for the 133 hosts that are in the csv. When I use the inputlookup where I think it should go, I get no results. When I use just one of the hosts from the csv, I do get results.

index="_internal" source="*metrics.lo*" group=tcpin_connections   
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)   
| eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")  
| eval build=if(isnull(build),"n/a",build)   
| eval version=if(isnull(version),"pre 4.2",version)   
| eval guid=if(isnull(guid),sourceHost,guid)   
| eval os=if(isnull(os),"n/a",os)  
| eval arch=if(isnull(arch),"n/a",arch)   
| fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server build version os arch guid   
| eval lastReceived = case(kb>0, _time)   
| eval seconds=30   
| eval event_count= tcp_eps * seconds   
| bin _time span=10m   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kbTotal  sum(event_count) as events sum(seconds) as secs by sourceHost guid _time   
| eval  kb = kbTotal / 30   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived sum(kb) as KB sum(events) as events sum(secs) as secs by sourceHost guid   | eval  avgEps=events/secs   
| addinfo  
| eval  status = if(isnull(KB) or lastConnected<(info_max_time-900),"missing",if(mystatus="quiet","quiet","active"))  
| search sourceHost=* search index="_internal" source="*metrics.lo*" group=tcpin_connections   
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)   
| eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")  
| eval build=if(isnull(build),"n/a",build)   
| eval version=if(isnull(version),"pre 4.2",version)   
| eval guid=if(isnull(guid),sourceHost,guid)   
| eval os=if(isnull(os),"n/a",os)  
| eval arch=if(isnull(arch),"n/a",arch)   
| fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server build version os arch guid   
| eval lastReceived = case(kb>0, _time)   
| eval seconds=30   
| eval event_count= tcp_eps * seconds   
| bin _time span=10m   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kbTotal  sum(event_count) as events sum(seconds) as secs by sourceHost guid _time   
| eval  kb = kbTotal / 30   
| stats  first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived sum(kb) as KB sum(events) as events sum(secs) as secs by sourceHost guid   | eval  avgEps=events/secs   
| addinfo  
| eval  status = if(isnull(KB) or lastConnected<(info_max_time-900),"missing",if(mystatus="quiet","quiet","active"))  
| search sourceHost=* [inputlookup os-seek.csv]
| table sourceHost, os

I put the inputlookup into the query like so:

| search sourceHost=* [inputlookup os-seek.csv]

I guess I'm using inputlookup wrong. How do I fix this?