Exactly, so highleted with red. if match host and if_name with lookup file, then list user info.

Regards.

Again I ask: What is your question?

So you know enough to highlight the syntax error in red, but not enough to look up the syntax and fix it?

Please describe the problem you are trying to solve.

Sorry, i can't list with user info, i need lookup syntax which is check ip and port from lookup file. How can i do this with correct lookup syntax? I should check 2 multivalue field and than add to user info. I hope, understand.

<base_search>  | lookup list.csv ip as host AND port as if_name OUTPUT user |stats count by host,if_name,user

The syntax for the lookup command is in the Search Reference manual at https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Lookup#Syntax

Did you try removing the AND keyword as I implied in my first reply?

I can't say I've tried it before, but I believe lookups do not work with multi-value fields.  You'll have to use mvindex or another multi-value function to get a single-value field for the lookup.

Hello,

Now, i have some changes but still i can't list with lookup file's value;

<base search> |eval user_info=host."".Huawei_int |lookup fttb_user.csv ipport as user_info OUTPUT user |search user_info=10.58.35.144GigabitEthernet0/0/7 | stats count by Date,user_info,Huawei_status | sort -count |where count>6

Stats without user field;

Stats with user field;

lookup csv file;

It's impossible to say why the data is not matching the lookup without seeing the data.  Please share some samples.

Also, the lookup command is specifying the 'user_info' field, which does not exist in the lookup file.