Hi, I wonder whether someone could help me please.
I'm using the following query to to interrogate a summary index, matching this to a lookup table.
index=summary_dg_nmo report=ddcops3148V5
| lookup ddcops3148.csv telno OUTPUT telno as "Matched"
| eval Matched=if(isnotnull(Matched), "Y", "N")
| dedup telno
| table telno Matched Registered
The lookup table has 10 records and the summary index has 100 records and as you can see I extract the fields "telno", "Matched" and "Registered".
The problem I have is that in it's current format I'm extracting all 100 records, but I would only like to extract the 10 records from the lookup table then the field "Registered" from the Summary Index and then the "Matched" field.
I know that the lookup table can't filter so has to be at the beginning of the search, but I'm struggling to get this to work.
I just wondered whether someone may be able to look at this and offer some guidance on how I can make the changes.
Many thanks and kind regards
Chris
↧