Hello Splunkers,

First of all, than you all for such great community.

I have a question. I am running a query in which I am using appendcols to append the results of a subsearch to my initial search. I am doing this because I am managing large datasets and I want to avoid using the JOIN command. My query is the following one:

index=active_directory (source="ACTIVE_DIRECTORY")
| dedup NUUMA
| eval NUUMA=tostring(upper(NUUMA))
| table NUUMA DISPLAYNAME UserAcControl

| appendcols [search index=active_directory source="APP1" | dedup USERNAME | fields USERNAME UserAcControl |eval NUUMA=tostring(upper(USERNAME)) | fillnull value=NULL UserAcControl]

| stats values(UserAcControl) count by NUUMA

I am getting the results that I need, but after the STATS command, I need to select the UserAcControl attribute with NULL values. I have tried doing something like this, but it is not working:

…| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)

I am attaching a screenshot showing the the values that I want to capture.

Any thoughts??

Thank you!!