I created this PART 2 as the previous thread is getting long.

Recap: I am trying to monitor login behavior to an online application using WAF logs. The userID may be associated with multiple sourceIP(s).

I use the following query to create a reference point, historic_login_list.csv. (I run this for last 90 days but not include current day)

index=waf sourcetype=waf_logs " key words" | stats count  by  userID  sourceIP GeoLoc | dedup userID sourceIP| outputlookup append=f historic_login_list.csv 

I use the following query to compare results to the reference list.

 index=waf sourcetype=waf_logs " key words" | fillnull value=NULL userID | stats count  by  userID  sourceIP GeoLoc  _time| dedup]userID sourceIP| search NOT [|inputlookup historic_login_list.csv |fields userID sourceIP GeoLoc]

I use a fill null in the comparative query as it picks errors, and I added _time for investigative purposes.
I have scrubbed the historic list csv to discard data that is unusual or not a normal reference point.

Does anyone know of a better way to do this??? and get the results that I am after...

I appreciate any suggestions to improve or make more efficient.

Thank you for your review.