Hi,
I'm not totally agree with you :
↓"host_name" is added if IP is known from source1
| lookup source1 host_ip OUTPUT host_name
↓if host_name is known from source1, then keep the host_name, otherwise, set it to NULL (which I hope that it will 'delete' the field)
| eval host_name= if(host_name=="NONE", NULL, host_name)
↓if host_name already exists, then do nothing, otherwise try to find a match
| lookup source2 host_ip OUTPUTNEW host_name
This behavior it's confirmed if I use only:
| lookup source1 host_ip OUTPUT host_name
| eval host_name= if(host_name=="NONE", NULL, host_name)
I have a host_name
But when I add
| lookup source2 host_ip OUTPUTNEW host_name
I have 'NONE' as host_name which is the behavior of no match (but lookup is performed despite of 'OUTPUTNEW' clause)
... View more