EDIT (just realized someone answered this too) So consider this my thumbs up to that. Though the embedded example others provided works. It should be used sparingly. The TL/DR use a look AS a lookup. That scales even at large lookup sizes. | mysearch | lookup mylookup host OUTPUTNEW host as to_filterr | where isnull(to_filter) gives you results where it is not in the table. this has added option of using the lookup match types such as wildcard, CIDR etc etc. Calling a csv file directly in a subsearch does not. It is best to use the repeatable pattern. ... View more