I have a couple logins (user) and the ip addresses (c_ip) in a lookup table. As a true test to make a search to compare these values with the values in the log file, and if they do not match, I need to trigger an alert.
If you want to find the IP address which are not part of lookup, try
"Your search on log files and list of fields" NOT [|inputlookup lookup_name |dedup user,c_ip|fields user,c_ip]
Make sure that you have user and c_ip as fields in the log file or rename the corresponding fields to match with lookup field names
Test this search and if its working, then add |stats count to the end of the search and create alert if count > 0
View solution in original post