Hi everyone
Need your kind help.
I have 50+ fields under index='abc'
i want to join the same with a lookup which has 5 fields but name of field on the basis of what i am trying to join is different.
I am trying following query
index="abc" sorce_type="xyz" | join fieldA [ inputlookup abcdef | rename fieldX as fieldA]
Please help me out.
Thanks in advance.
Nikks
since you are doing an inputlookup, you need a | character as the first part of that subsearch. If I were you though since you are using a lookup table to join the data, why not just use he "lookup" command itself? You could just do:
index="abc" source_type="xyz" | lookup abcdef fieldX as fieldA
Looks fine to me, other than misspelling sourcetype.
Try this and see what happens -
index="abc" sourcetype="xyz"
| join type=left fieldA [ inputlookup abcdef.csv | rename fieldX as fieldA ]
| table fieldA ... some sample fields from main search... the fields from the lookup table...
| fillnull value="((none))"
Then the records that have all the lookup values set to ((none)) are the ones where no matching value for fieldA was found in fieldX.