Hi @sfurkan,

I suppose that your alert is something like this:

your_search
| table _time user

if your lookup isn't a kvstore, you could try to modify your alert in this way:

your_search
| table _time user
| outputlookup temp_lookup

then schedule the following two searches to run:

| inputlookup users.csv 
| search NOT [ | inputlookup temp_lookup | field user ]
| table <lookup_fields>
| outputlookup users.csv

the after 5-10 minutes:

| makeresults
| search ppp=XXX
| outputlookup temp_lookup

 If instead your lookup is a kvstore follow this url https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/kvstore/aboutkvstorecollections/

Ciao.

Giuseppe

Hi @sfurkan,

You can use below sample;

| inputlookup users.csv where user!=deleted_user
| outputlookup users.csv