I read your requirement: "I would like the search to pull back all matching SDOMAINS and anything that does NOT match RDOMAIN" two possible ways: 1. Return all events which match SDOMAINS and all events which do not match RODMAIN 2. Return all events which match SDOMAINS and which do not match RDOMAIN For the first: sourcetype=8* | rex field=rcpt "\S+@(?<RDOMAIN>\S+)" | rex field=from "\S+@(?<SDOMAIN>\S+)" | search [| inputlookup "MMDomains.csv" | fields SDOMAIN ] OR NOT [| inputlookup "MMDomains.csv" | fields RDOMAIN ] For the second: sourcetype=8* | rex field=rcpt "\S+@(?<RDOMAIN>\S+)" | rex field=from "\S+@(?<SDOMAIN>\S+)" | search [| inputlookup "MMDomains.csv" | fields SDOMAIN ] NOT [| inputlookup "MMDomains.csv" | fields RDOMAIN ] ... View more

When you say "all IPs used more than 50 times", do you mean IPs that have generated at least 50 events in your logs? If so: index=* sourcetype=* | stats values(email_address) AS email_address, count by ip | where count>50 This will return all IP addresses seen in more than 50 events and the email_address values associated with those IP addresses. ... View more