I know this has been asked many different ways but, I cant seem to get the search correct.
I am attempting to "Don't Display Data that is less than 10 days old. I have to set-up a whitelist via a look table, the idea here is we add IP's or URL that show no threat, so want to stop seeing alerts coming in. But - we want to recheck the data again in 10 days.
This is my test search, But it still shows IP or URL's in the lookup table.
| from datamodel:"Threat_Intelligence"."Threat_Activity"
| search NOT [| inputlookup my_whitelist.csv | fields threat_match_value]
| where lastSeen>=relative_time(now(),"-10d") AND _time<=now()
| table _time threat_match_value
My look table fields are