Hi,
I need to join my query with a lookup which contains a field called username. I need to get the users who —
exist in both my main query index and the lookup
exist in lookup but do not exist in the main query index.
This is what my query looks like when i started writing this -
index="prod" sourcetype=prod_events
| dedup username
| eval type="MainIndex"
| eval username = lower(username)
| fields username type
| appendpipe
[| inputlookup test.csv
| eval type="lookup"
| eval username = lower(username)
| sort username
| fields type username
]
Any help is appreciated. Many Thanks
Add the below code to your search-
|stats dc(type) as dc ,values(type) as type by username | where NOT(dc=1 and type="MainIndex")
Add the below code to your search-
|stats dc(type) as dc ,values(type) as type by username | where NOT(dc=1 and type="MainIndex")