I have configured my lookup as stated in the above documentation and I am getting the result except for non matched values. how can I get non matched.
Try this
... | eval fieldname=coalesce(fieldname, "deny")
After the lookup do this:
... | filllnull value="NotMatched" MyLookupOutputField
Thanks. filllnull value="NotMatched" MyLookupOutputField This works for values that the splunk did not realize it from the source. My .csv has 2 values "allow" and "deny". Right now I am getting "allow" for the values that match based in my automatic lookup definition, I just want the unmatch or "deny" to be added to my field when theres no match. Would a case statement with if clause would work?
Like this:
... | filllnull value="deny" MyLookupOutputField