Hi,

My task involves creating a search in datamodel i.e network_traffic, below is the base search how we could convert it to data model search 

| tstats summariesonly=t
values(All_Traffic.src_ip) as src_ip,
dc(All_Traffic.dest_port) as num_dest_port,
values(All_Traffic.dest_port) as dest_port
from datamodel=Network_Traffic by All_Traffic.dest_ip
| where num_dest_port > 100

 | search NOT [| inputlookup  addresses.csv | search (comments =*scanner*) | fields IP AS ALL_Traffic.src_ip | format ]

colored in red is not working as expected !!

Thanks..