@to4kawa that's right. It worked without join command.

Also is there a way to list out the unmatched url's from csv. I mean I want to run a search against those URL's in the CSV (around 900) for last 90 days and just list out the one's which are not present in the search/events.

Let me know if you can advice please.

index=myapp_pp sourcetype=access_combined GET host="my-server-*" NOT [|inputlookup vanity.csv | rename url as requested_content |fields requested_content]
| stats values(requested_content) as requested_content

try NOT for unmatched searching.

@to4kawa Thanks for your quick response but this search will give all the results from my search.

So what I am looking for this is -

probably a table something like this - My lookup contains one column with around 800 requested_content and I want to find if any of those present in my search. If yes then "yes" and if not then "no".

Basically, I only want to list out the requested_content from the csv whether it's matched or not. I don't want to print anything else from the main query.

Hope I am able to explain. Let me know if it requires another question.

I have tried something like this but it doesn't work -

index=myapp_pp sourcetype=access_combined GET host="my-server-*"
| eval type="MainIndex" 
| fields requested_content type
| appendpipe  
    [| inputlookup vanity.csv  
    | eval type="lookup" 
    | rename vanity_url as requested_content 
    | fields type requested_content ] 
| stats dc(type) as pot, values(*) AS * by requested_content
| where pot=1 and type="lookup"

I see your problem. but your problem is another question. Please ask a separate question.