Solved: user name missing or exist in search

pr_blr · ‎05-17-2013

I am reading user from lookup file and then searching a search and find the user list from lookup file and giving table as user and status missing or exist in search.
please suggest me what should be the efficient way of doing this.

kml_uvce · ‎05-17-2013

there are 2 ways of doing this.
1) Use left join : <first search of lookuptable> left join <second search>
2) use transaction and append on user: <first search of lookuptable> |append <second search> |transaction user|use if condition to see any field of second search exist then make value as exist otherwise missing.

second way of doing is faster than first...

kamal singh bisht

View solution in original post

kml_uvce · ‎05-17-2013

there are 2 ways of doing this.
1) Use left join : <first search of lookuptable> left join <second search>
2) use transaction and append on user: <first search of lookuptable> |append <second search> |transaction user|use if condition to see any field of second search exist then make value as exist otherwise missing.

second way of doing is faster than first...

kamal singh bisht

pr_blr · ‎05-17-2013

thanks second option works for me

user name missing or exist in search

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

user name missing or exist in search

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits