We have got data for particular data which contains field in many places
**Events**
2018-09-05 01:00:00 logged in by USER1
2018-09-05 01:00:01 logged in as USER2 by USER1
2018-09-05 01:00:02 logged in as USER3 by USER4 and as USER2 by USER1
2018-09-05 01:00:04 logged in as USER5 by USER6
**Reference lookup** (`usernames.csv`)
user,name
USER1,bob
USER4,chuck
The event is not parsed and we Just need to ensure if USER1 or USER4 (user) from reference lookup) is present in the events. But there is NO field mapped in the raw events
Hence if I do below search, no data shows up
index=* [|inputlookup usernames.csv | fields user]
I believe the above search expands as `index=* (user=USER1 OR user=USER4)`
I was looking for the search to expand like..
index=* (USER1 OR USER4)
So How to remove the "user" field from the lookup, so it searches just for the "user" value without the field=value concept?
↧