I'm working with a query where I'm using a lookup to enrich events based on the work_queue field and then filtering to pass forward only those events with a matching entry in the lookup file.
Here’s a simplified version of my query:
index="acn_ticket_summary"
| lookup Master.csv "AssignmentGroup" as work_queue outputnew Desk_Ind, cdl_gs, Support_Team
| where isnotnull(work_queue)
This filters the events, keeping only those that have a non-null work_queue after the lookup.
Requirement: I also need to capture the events that don’t match (i.e., those that result in isnull(work_queue)) for separate calculations. Is there a way to modify my query to keep both the matched and unmatched events?
Thank you in advance for your help!
Hi @krishna1 ,
you have only to remove the filter (where command).
Eventually, you could add a calculation (eval command) to indicate if an event is matching or not, but probably isn't relevant because the matching ones have a value in the work_queue field.
Ciao.
Giuseppe