issue : Unable to see correct result after running query.
I have lookup file .CSV which consists some field (AD group,user ID) and have event log which consists field (user ID , IP address, malware , DNS.)
The file has field AD group,user ID
AD_group user ID
Event log :
The event has some field user ID , IP address, malware , DNS .
here only user ID is common in .CSV and event log
but ADgroup filed is available in only .CSV file
when running below query :
`index=main ADgroup="AD1" | table userid ADgroup`
here trying to search only AD1 group in query but getting result three AD group(AD1,AD2,AD3) where user_id name John is common in these 3 groups .
why i am getting unexpected result here ?