@waJesu 

Hi,

Let's assume your events have a field named url_domain. You can combine your lookup with a subsearch to filter events:

index=main [| inputlookup blocklist.csv where suspicious=1 | table Domain | rename Domain as url_domain ]

This expands to, for example:

index=main ( ( url_domain="foo.example.com" ) OR ( url_domain="bar.example.com" ) OR ( url_domain="baz.example.com" ) )

You can also use lookups for filtering in the search pipeline:

index=main
``` perform pre-filtering tasks here ```
| lookup blocklist.csv Domain as url_domain output suspicious
| search suspicious=1