I have an inputlookup which have 2 fields index and count, I need to create an alert so that alert will trigger when we have greater value of real index values mentioned over count field in lookup.
I have used following query but I want to get pass the index name as a sub search to inputlookup.
|inputlookup idx_myvdf.csv | table index | stats count by index | where count > 0
I have tried below query as well, but still no result, want to pass index name mentioned under lookup and their actual count and then I want to put where count > actual_count
|tstats c by index where index[|inputlookup idx_myvdf.csv | rename index AS actual_index | fields actual_index] | table indexcount actual_index actual_count
Please suggest it's urgent
![alt text][1]
[1]: /storage/temp/274644-img-20190828-wa0017.jpg
↧