For that, you use inputlookup. It's simply the reverse logic. I will use the same assumptions about your index search, with the same assumed field names. | inputlookup roomlookup_buildings.csv ...
See more...
For that, you use inputlookup. It's simply the reverse logic. I will use the same assumptions about your index search, with the same assumed field names. | inputlookup roomlookup_buildings.csv where NOT
[search index= buildings_core "Buildings updated in database*"
| rex "REQUEST_UNIQUE_ID:(?<request_unique_id>[^ ]+)"
| rex "Buildings updated in database:\s(?<buildings>\{[^}]+\})"
| eval buildings = replace(buildings, "[{}]", "") | eval buildings = split(buildings, ",")
| mvexpand buildings
| eval building_from_search1 = mvindex(split(buildings, ":"), 1)
| fields building_from_search1
| rename building_from_search1 as buildings]
| rename buildings as buildings_only_in_lookup Using the same emulation as shown above, the mock data would give buildings_only_in_lookup Antara Also a point that name buildiing_from_search1 (or building_from_index_search as in your latest comment). Its value comes from an original field named "buildings" which is the same as in the lookup. It is much easier to keep using that name on the left-hand side of the assignments because there don't appear to have use of the original value down the stream.