Solved: Re: inputlookup csv

keyu921 · ‎05-25-2020

I setup testing.csv lookup as following
host,location
123,HK
234,US
345,UK

I would like to basic search if host matched in the log, stats count by location
index=log sourcetype=csv |search [|inputlookup testing | return $host]
| stats .... by location

But seems return nothings

gcusello · ‎05-25-2020

Hi @keyu921,
the command to use is lookup, try something like this:

index=log sourcetype=csv 
| lookup testing.csv host OUTPUT location
| stats count by location

Remember to define Lookup definitions.

Ciao.
Giuseppe

View solution in original post

keyu921 · ‎05-25-2020

index=* sourcetype=csv |search [|inputlookup testing| return 1000 $host]
| stats last(Size) last(Used) last(Use) by host

gcusello · ‎05-25-2020

Hi @keyu921,
the command to use is lookup, try something like this:

index=log sourcetype=csv 
| lookup testing.csv host OUTPUT location
| stats count by location

Remember to define Lookup definitions.

Ciao.
Giuseppe

keyu921 · ‎05-25-2020

thanks seems i mix up inputlookup and lookup

inputlookup csv

lookup

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation