Hello, so basically both lookups have a lookup definition in which there should be a minimum match of 1. for all other occations (no match) the value no_match will be outputed. Now, each lookup shows whether for example the ip_address matches with what is in the lookup, if it does it outputs it into the corresponding field. if not, it outputs the value "no_match". this is done for both lookups so in the end I have a table with at least two rows of ips and occationally instead of an ip a no_match. in the end (hence the |search) I'm looking for Ips in which there is no match in both lookups. now when I first tried it with |inputlookup I didn't realize it doesn't give me the same results. because I did it like this: NOT [|inputlookup <lookupname>| table ip_address] which doesn't look for matches but rather neglects anything that is in the lookup and the field ip_address. the only reason I'm using an inputlookup instead of the |lookup command is that I'm trying to use it within a tstats command. I've managed to incorporate the inputlookup, but I can't really see how to use the lookup. I think I can't just go on with an |lookup command after the tstats by commant correct? because I do't get any results when I try this: <base search with tstats>
| lookup lu_cisco_umbrella_top_1_million domain as ut_domain output domain as cisco_umbrella_domain
| lookup lu_majestic_top_1_million domain as ut_domain output domain as majestic_domain
| search cisco_umbrella_domain=no_matches AND majestic_domain=no_matches
... View more