hello,

how can we combine stats and lookup on comparison of Tran and Look_Tran.

Current Results:

Tran   Count avgrt

Required Results (Matching Transaction_Details  to be pulled based on Tran  from lookup)

Tran Transaction_Details  Count avgrt

With the lookup command I mentioned in my first reply you can do so.
You have to replace "<lookup_name>" with the name of your lookup. If the field names you mentioned are correct then the query should work. Just add the line after the current result.
If it still doesnt work pls provide more information like the name of the lookup file, the exact names of the fields in the result and the exact names of the fields in the lookup file.

Look up file name is TransctionDetails.csv

if look at my initial post I have another query of stats to which I need to append

stats count(Tran) as count , Avg( responstime) as avgrt by Tran where Tran_lookup matches with Tran in index.

Expected output is ( Corresponding Transaction Details should be added to stats output).

Count ,Tran, Transaction_Details, avgrt 

| stats count(Tran) as count , Avg( responstime) as avgrt by Tran
| lookup TransctionDetails.csv Tran_lookup as Tran OUTPUT Transaction_Details
| fields Count ,Tran, Transaction_Details, avgrt 

if you only want the Events that have matching Transaction_Details add:

| where isnotnull(Transaction_Details)

My Expectation in the Example is that the Lookup is inside of Splunk and correctly configured.

Thank you. It worked.

However i was reviewing index data Splunk index has data like below with versions of Tran. But lookup file only has ABC and CDE as Transaction_Details is same for all versions of Tran. Such cases where there are multiple versions of Tran and 1 value of Transaction_Details is coming is empty. Is there a way lookup file can be searched for Prefix or some other way?

Tran

ABC

ABCVersion1

ABCVersion2

ABCVersion3

CDE    

CDE

CDEVersion1

CDEVersion2