1) I have got a query whose output are events that contains a field called CV4_TExCd.
The base query looks like this:
index=ivr sourcetype=ivr_SEF applicationName=TestApp CV4_TExCd!=000000
2) I have a lookup table that has 2 columns, Site and TeamCode
TeamCode Site
84001 SiteA
84001 SiteA
84002 SiteA
84002 SiteA
84003 SiteA
9001 SiteB
9001 SiteB
9002 SiteB
9002 SiteB
9003 SiteB
37001 SiteC
37001 SiteC
37002 SiteC
37002 SiteC
37003 SiteC
3) I want to search field CV4_TExCd against TeamCode from lookup table; when found count by Site
4) I was playing around with this query below but I noticed that my count is doubled. I have no idea why! :(
index=ivr sourcetype=ivr_SEF applicationName=TestApp CV4_TExCd!=000000 _time=* | lookup lookupTable TeamCode AS CV4_TExCd OUTPUT Site AS Site| stats count by Site
Please help and thanks in advance!
↧