Solved: Search two lookup tables for matching field values

marktechuk · ‎09-04-2019

Hi trying to search two lookup tables for matching fields values, both tables have the same fields.
Just looking to compare my output UserFromTest1 and UserFromTest2 for a match.

| inputlookup test1.csv UserName as User OutputNew User as UserFromTest1
| inputlookup test2.csv UserName as User OutputNew User as UserFromTest2

Thanks

rahulbhatia · ‎09-04-2019

It will show you the list of UserName's which are present in both the table, i have added count column to show the 2 different count value for the same UserName

View solution in original post

rahulbhatia · ‎09-04-2019

It will show you the list of UserName's which are present in both the table, i have added count column to show the 2 different count value for the same UserName

marktechuk · ‎09-04-2019

Worked great, thanks

wmyersas · ‎09-04-2019

You need to |where after the lookups (and I'd suggest case-insensitivizing it):

<first part of search>
| inputlookup test1.csv UserName as User OutputNew User as UserFromTest1
| inputlookup test2.csv UserName as User OutputNew User as UserFromTest2
| eval UserFromTest2=upper(UserFromTest2)
| eval UserFromTest1=upper(UserFromTest1)
| where UserFromTest2=UserFromTest1
| <rest of search goes here>

Search two lookup tables for matching field values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation