Hi Sundareshr, | inputlookup lookupfilename.csv | map search="search index=foo sourcetype=bar ErrorMessage=\"$key$\" | eval Value=\"$value$\" " | eval MatchString="$key$" | table SNo ErrorMessage MatchString Value" The above syntax gives results only where there are mapping key -value pair, for example index=foo contains 100 records, the above syntax gives only mapping results assuming if 75 records are mapped with key with ErrorMessage then 75 records will get populate, the remain records will be ignored. inputlookup command to be used in the first place of search string and it can't support to use in the middle for search string. In the below example, it gives 100 records of which 75 records contains mapping key-value and the remaining records are still to be populate with blank in the corresponding Value field. For example : index="sample_data_index"|reverse |streamstats current=f last(LogDate) as LogDate last(ErrorMessage ) as ErrorMessage last(AppID) as AppID by incident_number|table incident_number LogDate AppID ErrorMessage Value ( Value - this has to get populate from lookup table with mapping string for ErrorMessage) The above search string contains 100 records, while using inputlookup after mapping ErrorMessage with corresponding Key-Value from lookup file, search string has to return 100 records, with additional column as Value where it fetches data from lookup field wherever finds match string. Thanks in advance for helping. Regards, Ravi ... View more

Thank you. I got the solution, it can be done through either stats or streams tats. Regards, Ravi ... View more

Hi @ravinallapareddy Glad you found a solution through @sundareshr , but please don't forget to resolve the post by clicking "Accept" directly below his answer. Also, be sure to upvote his answer for helping you out. ... View more