I'm relatively new to Splunk and I'm trying to use an existing lookup table to append columns to a search where the field name in the lookup table is not the same field name from the output of the search. i.e. index=ti-p_tcr_reporter* source=tcr_reporter* earliest=-2d@d latest=-1d@d BOA_TICKETNUMBER="INC*" | stats count as Incidents by BOA_AIT | eval AppID=BOA_AIT | appendcols [inputlookup tcr_ait-info | fields AppID, AppFullName, AppStatus] So BOA_AIT is the fieldname from the originating search that I want to lookup the value of which in tcr_ait-info table where the corresponding fieldname is AppID. Then, I want to append the columns AppFullName & AppStatus that correspond to the appropriate field BOA_AIT/AppID. I'm probably miles off above but any assistance would be greatly appreciated. ... View more