Assume I have a simple search that lists in a table the email addresses of those who recently sent an email:
index=email | table sender
The email index does not have a field that identifies the country the sender address is from; however, it is known that the listed sender addresses are from many different countries. If I have a lookup that contains all the email addresses located in the US using the format:
email country
address1@mail.com US
address2@mail.com US
...
How can I filter my search results to only contain sender email addresses from those located in the US (based off of the lookup), while also adding a field to the table that shows US?
you can use something simple like this
index=email | table sender | lookup lookup_name email as sender output country | dedup country
OR you can try with subsearch. Since the query only searches the senders from the lookup you can add country as US
index=email [ | inputlookup lookup_name | rename email as sender | table sender | format] | eval country="US" | table sender country
Hope this helps
you can use something simple like this
index=email | table sender | lookup lookup_name email as sender output country | dedup country
OR you can try with subsearch. Since the query only searches the senders from the lookup you can add country as US
index=email [ | inputlookup lookup_name | rename email as sender | table sender | format] | eval country="US" | table sender country
Hope this helps
@anilchaithu This works great! Thank you so much.