Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Part2: How to join two different result shari...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let say I have a result below
index = indextest
source=stest
bunch of evals = evals
sourcetype=sttext
| table ID Status Remark Values
ID Status Remark Values
11 PASS CHECKED something something hello
371 FAILED CONFIRMED someting hello SOME
let say I want to input another field from a inputlookup that is correlated with the ID number.
ex)
| inputlookup test
|table ID ActualName
ID ActualName
11 McDonald
371 BurgerKing
HOW TO simply input that result into the first query so that I can get a result as below?
ID ActualValue Status Remark Values
11 McDonald PASS CHECKED something something hello
371 BurgerKing FAILED CONFIRMED someting hello SOME
NOTE
when I try this,
index = indextest
source=stest
bunch of evals = evals
sourcetype=sttext
|append [ | inputlookup test]
|stats values("ID") as ID, values ("Actual Value") as "Actual Value" ...and so on... by System
result comes out
ID ActualValue Status Remark Values
11 , 371 McDonald , BurgerKing PASS, FAILED CHECKED ,CONFIRMED something something hello , someting hello SOME
it's not separated.
Simply how to insert a inputlookup result to a table that shares a one common field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index = indextest
source=stest
bunch of evals = evals
sourcetype=sttext
| lookup test ID
| table ID ActualName Status Remark Values- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried. it's not working.
index=test
|table System Status
simple need to input
|inputlookup test123
|table System IDnumber
so that result show
System IDnumber Status
struggling 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you using inputlookup when all you appear to need is lookup?
Is there something else in your usecase that requires you to use inputlookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
because it's subsearch.
inputlookup is required.
index does not contain such information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From your example, i.e.
ID Status Remark Values
11 PASS CHECKED something something hello
371 FAILED CONFIRMED someting hello SOME
becoming
ID ActualValue Status Remark Values
11 McDonald PASS CHECKED something something hello
371 BurgerKing FAILED CONFIRMED someting hello SOME
using a lookup called test with these contents
ID ActualName
11 McDonald
371 BurgerKing
a lookup as I showed would do this
Exactly how is your actual situation different from the above example which makes a simple lookup not work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have used your idea.
I got the table first
ID Status Remark
then use lookup to match the ID and output the ActualName
then print the table again.
REASON why didn't work first time was that the lookup table did not have the field as "ID" it had it as such as 'title'. and the original SPL search. therefore, I have renamed ID to title, then did the lookup, and THEN switched the title back to ID and table them out.
worked!! thank you so much. learned a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index = indextest
source=stest
bunch of evals = evals
sourcetype=sttext
| lookup test ID
| table ID ActualName Status Remark Values
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
