I have a lookup table that I'm using to exclude some devices from search results.
`index = my_index
| lookup my_table local=true device_id OUTPUT device_id as ignore
| where isnull(ignore)`
This works great but I need to add an additional condition to only exclude devices if they are in the lookup table and the value of the field "code" = 0001. So an event shouldn't be excluded even if it is in the lookup table unless `code=0001` and events with `code=0001` should be included if they are not in the lookup table.
I've tried the following but this also removes all items where `code=0001`
`index = my_index
| lookup my_table local=true device_id OUTPUT device_id as ignore
| where (isnull(ignore) AND code!=0001)`
I assume this is a dumb mistake in my logic but can't figure out what I'm doing wrong?
↧