I have a query like this, which prints the number of message matches and an abbreviation: sourcetype=source1 | rex "...(?<message>\S*)..." | eval message=case(like(message, "%message aaa%), "ma", like(message, "%message bbb%"), "mb", like(message, "%message ccc%", "mc", 1=1, message) | stats count by message Result: ma 4 mb 1 mc 18 However as I add more messages to the search it's becoming too long so I'm trying to switch to using a lookup table. I have created a csv lookup called messages.csv (example below) : longtext,shorttext message aaa,ma message bbb,mb message ccc,mc and tried various queries including the below but they all fail so was hoping someone here might be able to give me a hint: sourcetype=source1 | rex "...(?<message>\S*)..." | search [ | inputlookup messages.csv | fields longtext | rename longtext as message] | lookup messages.csv output shorttext | stats count by shorttext Thanks in advance, Ed ... View more