index=IndexName
| table username ip_address_new id_new desti
| lookup file.csv user as username OUTPUT user id_old ip_address_old
| where NOT (id_new = id_old AND ip_address_new = ip_address_old AND username = user)
Can I combine "where" and "if" command together
Or do something like this
need to write something like this
if id_new != id_old:
| eval match_id = not match id
elif username != user:
| eval match_user = not match user
elif ip_address_new != ip_address_old:
| eval match_ip = not match IP address
else:
| eval ....
No, you cannot mix "where" and "if". They are two different things used for two different purposes.
If you want to conditionally set different fields, you need separate set of conditions for each field (you might however reference a field you just set in the previous step in the pipeline - that can simplify things a little).