Hi @innoce, as @ITWhisperer said, it's possible to update your hosts list using the outputlookup value in a search that takes values from the events and from the lookup. Only one question: what to do with values in the lookup that aren't more present? do you want to list? Anyway, please try something like this (if the lookup is named "perimeter.csv"): | metasearch index=<your_index>
| eval host=lower(host), status="events"
| append [ | inputlookup perimeter.csv | eval host=lower(host), status="lookup" | fields host status ]
| stats
dc(status) AS status_count
values(status) AS status
BY host
| eval Status=case(status_count=2,"Host present both in Events and Lookup", case status="events","New host present only in Events",status="lookup","Old host present only in Lookup")
| table host Status
| outputlookup perimeter.csv Ciao. Giuseppe
... View more