How do I use lookup command to filter events based on one of the fields but then just add the rest of the fields to the remaining events? For example, I want the events in my base search to be filtered by values that match field1 in the lookup file. But then I just want the field2 and field3 values from the lookup file to be added to the remaining events since these two fields don't exist in the base events.
how would i modify the below query so that it's not filtering by field2 and field3 as well but simply appending these values to the remaining events?
base search ... [|inputlookup partner.csv | fields field1 field2 field3 ]
Here are two ways to do this. Try both and see which is faster for your data sets:
base search [ | inputlookup partner.csv | fields field1 ] | lookup partner.csv field1 OUTPUT field2 field3
base search | lookup partner.csv field1 OUTPUT field2 field3 | where isnotnull(field2) OR isnotnull(field3)
I'd expect the first option to work well if the size of your CSV is quite small compared to the number of events being searched in the base search. If the CSV is quite large and the base search alone does not return that many events, then the second might be faster.