lookup will always run, always outputting the fields you tell it to – even if they are null
And therein lies the key:
| rename user_email AS email
| lookup identity_ad email OUTPUTNEW bunit memberOf identity first last
| where isnotnull(bunit)
Will skip all of the entries that didn’t return a bunit field
If you only want to keep those that don’t exist in the lookup table, do it this way:
| where isnull(bunit)
from User warren – Stack Overflow https://stackoverflow.com/questions/74527429/splunk-create-value-on-table-with-base-search-and-eval-from-lookup/74535462#74535462
via IFTTT