I have a query I'm working on where not all the values I feed it are in the index I am querying against.
For example suppose I have two emails, lrhg@gmail.com and charlie.brown@peanuts.com
index=windows sourcetype=ActiveDirectory lrhg@gmail.com OR charlie.brown@peanuts.com | dedup name
Currently only charlie.brown@peanuts.com is in the index. As a result I only return the Event for charlie.brown@peanuts.com.
I'd like to have my query return two records for lrhg@gmail.com and charlie.brown@peanuts.com even if there are no results for lrhg@gmail.com. Something where the event is essentially blank except for the lrhg@gmail.com value
Any thoughts out there?
↧