Thank you for your suggestion.

Tried this, but I get a new row in table3.csv

field1,field2,comment3
"","",""

This is not acceptable for the later process. Empty rows are ok.

Changed your spl to

| inputlookup table3.csv
| appendpipe [ stats count | eval field1=NULL, field2=NULL, comment3=NULL ]
| fields field1, field2, comment3
| outputlookup table3.csv

But this is creating an empty lookup table3.csv again.

---

Tried this, but I get a new row in table3.csv

That is exactly what appendpipe is supposed to do.  If this is not acceptable, do not use appendpipe.  Have you tried fillnull @gcusello and I have suggested?

@PrewinThomas 
This is helpfull. It is not the solution I prefer at the beginning, but the result is acceptable for the later process of my scheduled searches.
For the documentation:
the appendpipe is not working in case there is ONLY the line with the fieldnames in the csv:

A_Row1: field1,field2

In case there is a LF in it like:
B_Row1: field1,field2

B_Row2:

it is running well. I get in the updated csv now:
C_Row1: field1,field2,comment3

C_Row2: ,,

I would feel better, if B_Row2 would not be necessary, but it I can handle this.

Many thx for your help.

Hi @mfleitma ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Make sure to apply fillnull before table

| inputlookup table3.csv
| fillnull field1,field2,comment3 value=-
| table field1,field2,comment3
| outputlookup table3.csv

Hello yuanliu,

fillnull is only working, if there is an empty row existing in addition to the fieldname. In case table2.csv has only the filednames in it, fillnull is not working.

I tried many things with fillnull, eval as well to add a row, append the new fieldname, but at the end I didn't manage to delete my added row to get only the original status of the lookup ONLY added by a next fieldname.