I have created a search that contains a field that is unique. I am using this search to populate the index. however for some reason when I try and check to see if the record is in the index it doesn't work for me. The closest I have come is this: | localop | rest .... ```first search key field``` |eval soar_uuid= id+"_RecordedFuture" |append [search index=rf-alerts soar_uuid|rename soar_uuid as ExistingKey] | table soar_uuid,triggered,rule.name,title,classification,url,ExistingKey The above returns a list of new records with a blank ExistingKey field, and matching keys for soar_uuid of existing records with a blank soar_uuid field. If I could just populate either with the other field, then I could remove all the duplicates. I want to remove the new records that match the existing records before writing the events to the index. appendsearch instead of append doesn't seem to return the existing records.
... View more