The abclogs index contains a field call "userid" and there is similar field "identity" in the file totalname.csv. Now I run the search as below to try to find out those userid which are not in the file totalname.csv
index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]
Here is the result:
⚠ Error in 'fields' command: Invalid argument: 'identity='jamessmith'
No idea how to fix it.
Like this:
index=abclogs | stats count by userid | eval userid=lower(userid) | search NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]
And if you like, tack on | fields userid
.
Did this work?
you will have to rename indentity as userid in your sub search
index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | rename identity as userid | table userid]