Thanks,

The mvappned doesnt want to extract the 2nd field from the lookup 😞

eval query=mvappend(Sanitised, someOtherFieldHere)

I have the impression that you have a misunderstanding on how lookups and mvappend works - maybe it helps if you re-read that part of the docs to make sure your expectations match.

Thanks, I'm getting results against the "Sanitised" field in the lookup table but for some reason the query does not want to output the second field from the lookup. Any ideas?

data is present in the lookup table for the second field . When the search completes just the second filed column is empty.

There is no extraction happening. Either the field is in the lookup file and has values or not. If so, then my solution will work. If not, then it will not and you need to repair the lookup file.

This is working for me at the minute but the search is unable to output a second field from the same "threatlist.csv" lookup file. The lookup table contains two fields "Sanitised" which is the bad IP in a sanitised format and "Threattype" which holds the treat name.

Index= * | search [| inputlookup threatlist.csv | eval Sanitised=replace(Sanitised, "[.]", ".") | table Sanitised | rename Sanitised as query | format] | table _time, Threattype, Sanitised ......................

Can you confirm whether what you want to achieve is this:

• search all indexes for events matching the list of (sanitized) bad IP addresses and then lookup the threattype associated with the respective IP address?

For being able to do a lookup of the threat type after searching for the events that match the bad IP list, you'd need to have that IP address in a field in your search results.

Are you applying this to some specific data, where you actually know that the IP address ends up in a specific field (or a few potential fields)?