thanks for the prompt response.

our risk team wants to provide a list of critical project keyword which will be stored as a lookup, and we'd search the DLP logs for any match  in the lookup, but the require that the analyst shouldn't have the ability to view the lookup which means that the analyst wouldn't know what keyword matched if the DLP captured more that a file/keyword in one log, so we thought if maybe there's a way we can highlight matched keywords in the search

You could try protecting access to the lookup by putting in a kv store and accessing it through a custom command. This custom command would be in an app which is protected from "casual" users with particular roles and permissions. The custom command would return the matching word without disclosing the contents of the lookup. This is not a trivial solution but may at least go some way to meeting your requirement.

Hi @msalghamdi ,

it isn't so immediate if you want to search on all the raw events, if instead you want to search on a predefined field it's easier.

In the second case you can use the lookup command, something like this:

<your_search>
| lookup your_lookup.csv your_key OUTPUT your_key AS found_key

In the other case there was a solution from @somesoni2 to my same requirement of around 10 years ago, very hard to remember.

Ciao.

Giuseppe

Hello.

the field in my search is "file_name" while the field in the lookup is called "phrase", i tried to use this but it didnt work:

| lookup my_lookup.csv phrase OUTPUT file_name AS found_key