Thank u Renjith, I am trying the command inputlookup in the following manner - tell me if this is the right option - index=***** | inputlookup ***.csv This pulls up nothing. Could you provide me an example about how to do it......... ... View more

This generates some test data | makeresults | eval host="host_1", user="mike joe ken", action="allowed blocked", process="a b c" | makemv user| makemv action | makemv process | mvexpand user | mvexpand action | mvexpand process | streamstats count as recno | eval _time = _time + 100*recno | eval host=if(process="c","host_2",host) this kills a couple of the "blocked" records so that some are left open | where recno!=17 AND recno!=10 | sort user _time And here's the part you wanted. This uses the transaction command to match the "allowed" and "blocked" records when the other three fields match within a 5 minute period, and select only the transaction records where there is no "blocked" event. You can change the maxspan to whatever length of time is appropriate. | transaction host user process maxspan=5m | where duration=0 I used a test of the duration, but you could also use eventcount=1 or any number of other things about the transaction. ... View more