I have lookup table like
Date ID Name
02/04 12547 xxx
02/04 12458 xxx
02/04 14587 xxx
I am running basesearch | table Date ID Name
Date ID Name
02/08 12547 xxx
02/08 12458 xxx
02/08 45896 xxx
02/08 47523 xxx
I want to compare my search table to lookup table and output the not match result to my search table. I try selfjoin it didnot work. Is any otherway I can do?
Like this:
index="YourIndexHere" AND "sourcetype="YourSourcetypeHere"
| lookup YourLookupHere.csv Date ID Name OUTPUT Name AS MatchIfNotNull
| search NOT MatchIfNotNull="*"
Hi @karu0711
Something like this will find the base search results that are not in the lookup table.
basesearch
| table Date ID Name
| stats values(*) AS * BY ID ``` dedup the basesearch results by ID ```
| inputlookup append=true <add your lookup file here>
| stats count values(*) AS * BY ID
| where count=1 ``` filter results that are not in the lookup file ```
Hope this helps
I got the not matching ID but I am getting out put table with only Date ID
Name field is not populating.