The problem I have is that if I call both fields in the same query I get a match on the condition that both fields are present, and I stop seeing the numbers that only meet the first example. Let me try to understand. So, the problem is that the following two queries return different datasets. 1 index="cdr_cfs_index" "Call.TermParty.TrunkGroup.TrunkGroupId"="2230" "Call.OrigParty.CallingPartyAddr"="*" 2 index="cdr_cfs_index" "Call.TermParty.TrunkGroup.TrunkGroupId"="2230" "Call.OrigParty.CallingPartyAddr"="*" "Call.CallForwardInfo.LastRedirectingAddr"="*" Is that correct? In other words, the lookup is just a confounding factor. Have you tried OR operator? Like index="cdr_cfs_index"
"Call.TermParty.TrunkGroup.TrunkGroupId"="2230" ("Call.OrigParty.CallingPartyAddr"="*" OR "Call.CallForwardInfo.LastRedirectingAddr"="*")
| lookup DIDSMCM Call.OrigParty.CallingPartyAddr OUTPUT Call.OrigParty.CallingPartyAddr AS foundInLookup
| where isnull(foundInLookup)
| stats count by Call.OrigParty.CallingPartyAddr Call.CallForwardInfo.LastRedirectingAddr Here, it is not clear what your expected output is, so I cannot tell if it meets your requirement or even if it will give you any result at all. But at least that will give you all events that search 1 returns for lookup command.
... View more
