I have a main search that returns to a table output of "IP,MAC,Host,Location"
I would like to do a subsearch with the MAC address, but cannot pass the MAC to the subsearch to work properly. I want to output just a simple "Yes" if it exists in the separate source.
I have looked at the documentation on fields and format, multiple questions here, however I cannot get what I think should be a simple query to work properly. Below is just a simple example...
The first search field return is MAC as you see, the subsearch field is DMAC
Example
source=* | lookup IPInfo IP | stats values(IP), values(MAC), values(Host), values(Location) | appendcols [search=othersource where MAC=DMAC | eval MACExists="Yes" | table MAC MACExists]
Looking for an output similar to this...
IP MAC Host Location MACExists
... View more