After several days to be block with an issue regarding lookup, I try to have a little help here,
Here is my problem, I have an asset which brings me alerts, sometime the same alert so I want to exclude the duplicates ones, for this, I create a lookup that save the research of my alert's query. This part work great, and after I want to exclude the event that is not matching ALL the field of the lookup.
So my lookup is like this : duplicate.csv
The field of my search event has the SAME name that my lookup field.
Here is my query at the moment
index=xxxxxx | search NOT [| lookup duplicate.csv subject AS source,dest AS dest,malware AS malware
| outputlookup append=true duplicate.csv
I don't know how to create the link between search field and lookup field because they share the same name.
And I don't now how I do to display the event ONLY if they match all the field in my lookup (4)