I am running a query to find the list of users that received an email from a particular email address. This is working fine until I try to get more details by using Inputlookup. I want to use Inputlookup to get more details about the users like their department, location, etc which can only be done through that. I need to pass the results from the search to get the other details. The search lists all the userids since I strip out the domain by using the regex.
Here is my query:
sourcettype=sendmail to=*
[ search sourcetype=sendmail from=email@gmail.com
| fields qid]
| rex field=orig_recipient "(?[^@]+)"
| dedup orig_recipient
| inputlookup append=t identity_lookup_expanded where * identity=$orig_recipient$]
| table orig_recipient dept email some other fields
Any help would be appreciated!
The $
operator only applies in the map
command and when referencing inputs to a dashboard.
Why use inputlookup
here? Why not lookup identity_lookup_expanded email as orig_recipient OUTPUT bunit, work_city, work_country
?
The $
operator only applies in the map
command and when referencing inputs to a dashboard.
Why use inputlookup
here? Why not lookup identity_lookup_expanded email as orig_recipient OUTPUT bunit, work_city, work_country
?
This worked perfectly!
Thanks a lot for your prompt response...