Hello Team,
I have a lookup table with 1000 employees data into it, like email, id and other
I have an search which also produces the same result like employee email, id, and status
I want to combine both of them so my search produces data only for employees who are in lookup table
I tried passing lookup but its fetching all data
this is what I am using "EmployeeEmail is an term in lookup table"
index=Employeedata sourcetype=data
|lookup InT_EM as EmployeeEmail
|table EmployeeEmail, status
May be I should Reprhase the question
so I have one index which has all Employeedata like email, status, id, region etc. (index=employeedata)
I have a lookup table which has the data in this formate (table)
id | EmployeeEmail | laptopnam | blah | blah |
A1234 | a@gmail.com | 0 | 0 | 0 |
A1233 | b@gmail.com | 0 | 0 | 0 |
A1235 | c@gmail.com | 0 | 0 | 0 |
I want to get the information of all employees listed in this table from index=employeedata, for that, I am using
index=employeedata sourcetype=ldap
| lookup table employeeemail as email
| table email, status, id, region
but the results are inconclusive,
can someone please see what is wrong with this.
index=employeedata sourcetype=ldap| lookup table employeeemail as email
| table email, status, id, region
First of all, your illustrated lookup table contains a stylized column name "EmployeeEmail" but the above code uses all-lowercase "employeeemail". This doesn't match anything. Second, even if corrected for column name spelling, command lookup gives you extra fields with matching entries but does not remove events that contain no match.
To limit output, use where on a field that exists in the table but not in original events, e.g.,
index=employeedata sourcetype=ldap
| lookup table EmployeeEmail as email
| where isnotnull(laptopnam)
| table email, status, id, region
On the other hand, I would recommend not to use email as lookup criteria because id, which exists in both raw events and lookup table, is perhaps more unique?
index=employeedata sourcetype=ldap
| lookup table id
| where isnotnull(laptopnam)
| table email, status, id, region
I used the same. no results
Suppose your lookup outputs a field EmployeeName, you go
index=Employeedata sourcetype=data
|lookup InT_EM as EmployeeEmail
|table EmployeeEmail, status
|where isnotnull(EmployeeName)