Answer:
Lookup does not support != (not equal to) straight out of the box. But we can achieve it. See below example
Lets say, I have a lookup file personal/emp_name1 which has field "emp_name" with values "PQR", "HIG"
I have some data ingested, which shows the name and age of employee, like below
# age name2
1 22 EFG
2 21 ABC
3 25 HIJ
4 20 PQR
Now, we want to display the "name" and "age" of those employees which are not present in lookup table personal/emp_name1
The query would be like below.
(_collector=<name of collector>)
| parse "\"*\", *" as name2,age
| lookup name from personal/emp_name1 on name2=name
| if (isNull(name), "no_name", name) as name1
| where name1="no_name"
| fields - name, name1, _raw
RESULT
# Time age name2
1 10/26/2020 15:06:32.276 +0530 22 EFG
2 10/26/2020 15:06:32.276 +0530 21 ABC
Comments
0 comments
Please sign in to leave a comment.