I have a query I'm working on using tstats and lookup.
My lookup is named hosts_sites and has two columns, hosts and site.
My sample query is below;
| tstats latest(_time) as latest where index=main by host | lookup hosts_sites hosts as host OUTPUT site | table host, site, latest
How can I make sure that my table includes non-matches. I want to make sure that hosts in the lookup that were not matched are included in the table so they can be addressed/remediated
Try like this
| tstats latest(_time) as latest where index=main by host | append [| inputlookup hosts_sites | table host site ] | stats values(site) as site values(latest) as latest by host | table host, site, latest