I have a search that returns a list of dealers, the types of vehicle and the report file uploaded to corporate. In the first example below, which works, I have to use reverse logic in the where clause of the lookup. In the second example I get both types of showroom if I use straight up A=B logic.
So my question is why?
Works
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299
| eval datType="car"
| eval show=if(datType="car","TRUCK","CAR")
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom!=show
Results
Date Time Dealer Type model Report_File
2014-05-01 00:30:49 Smith Chevy CAR U SmithCarSales.zip
2014-05-01 00:42:21 Alltown GMC CAR A|C|O|U AlltownCarSales.zip
2014-05-01 00:43:41 Alltown GMC CAR A|C|O|U AlltownCarPartsSupply.zip
2014-05-01 00:44:01 Alltown GMC CAR A|C|O|U AlltownRepairs.zip
2014-05-01 00:44:21 Alltown GMC CAR A|C|O|U AlltownRepairsSupply.zip
2014-05-01 00:45:05 City Autoplex CAR A|C|U CityAutoplexCarSales.zip
2014-05-01 00:45:10 City Autoplex CAR A|C|U CityAutoplexCarPartsSupply.zip
Doesn't work
index="adviis" sourcetype="adviis" "*chevy*" /car/ sc_status<=299
| eval datType="car"
| eval show=if(datType="car","CAR","TRUCK")
| makemv delim="/" cs_uri_stem
| eval folder=mvindex(cs_uri_stem,1)
| lookup Master.csv folder OUTPUT Dealer, model, showroom | where like(model,"%U%") AND showroom=show
Results
Date Time Dealer Type model Report_File
2014-05-01 00:30:49 Smith Chevy CAR U SmithCarSales.zip
Smith Chevy TRUCK U
2014-05-01 00:42:21 Alltown GMC CAR A|C|O|U AlltownCarSales.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:43:41 Alltown GMC CAR A|C|O|U AlltownCarPartsSupply.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:44:01 Alltown GMC CAR A|C|O|U AlltownRepairs.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:44:21 Alltown GMC CAR A|C|O|U AlltownRepairsSupply.zip
Alltown GMC TRUCK A|C|O|U
2014-05-01 00:45:05 City Autoplex CAR A|C|U CityAutoplexCarSales.zip
City Autoplex TRUCK A|C|U
2014-05-01 00:45:10 City Autoplex CAR A|C|U CityAutoplexCarPartsSupply.zip
City Autoplex TRUCK A|C|U
... View more