How to marry lookup table and index data? - Splunk Community

Splunk Search

Hello Champs

I've index data table

change records errors

B221205A	109	0
B221205B	1480	0
B221205C	3336	0
B221205D	2581	8

I also have lookup table that contains

File_name Remote_file records

$APPLXYZ.C221205A	/APPLABC/B123/OUT/C221205A	109
$APPLXYZ.C221205D	/APPLABC/B123/OUT/C221205D	2581
$APPLXYZ.C221205C	/APPLABC/B123/OUT/C221205C	3336
/APPLABC/B123	/APPLABC/B123/OUT/C221205B	1480

I am looking for the result

File_name	Remote_file	records	change	errors
$APPLXYZ.C221205A	/APPLABC/B123/OUT/C221205A	109	B221205A	0
$APPLXYZ.C221205D	/APPLABC/B123/OUT/C221205D	2581	B221205B	0
$APPLXYZ.C221205C	/APPLABC/B123/OUT/C221205C	3336	B221205C	0
/APPLABC/B123	/APPLABC/B123/OUT/C221205B	1480	B221205D	8

Hi @splunklearner99,

you should explore the lookup command (https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Lookup)

anyway, please try this:

index=your_index
| lookup your_lookup.csv records OUTPUT File_name Remote_file
| table File_name Remote_file records change errors

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community, What’s the best part of hearing how our customers use Splunk? Easy: the positive ...