@sumitkathpal, if your use-case is to show tstats count only for sources/domains present in the lookup, instead of using | inputlookup which will run as a subsearch, you can run lookup command to identify the domains that are present in the lookup and those which are not can be filtered out. Please try the following query.
| tstats `summariesonly` count from datamodel=Email by All_Email.src_user All_Email.subject
| `drop_dm_object_name("All_Email")`
| lookup local_domain_intel.csv domain as src_user outputnew domain as domainFromLookup
| search domainFromLookup!=""
| fields - domainFromLookup
Following is the run anywhere sample approach that I used to test:
1) Created .15M events for lookup. Used streamstats to create unique source names as domain . PS: datasource="lookup" is created as identifier just for demo purpose.
| makeresults count=150000
| fields - _time
| streamstats count as domain
| eval domain="src".printf("%06d",domain), datasource="lookup"
2) Piped outputlookup to above result to save as localtestdata.csv
| outputlookup localtestdata.csv
3) Used new query to generate stats count by various sources. PS: count below can be changed to any number you want to test. I tested with 1.5M as well. Following is 15K for demo example. Eval function random() along with substr() is used to generate some random count . PS: datasource="tstats" is just for demo purpose.
| makeresults count=15000
| fields - _time
| streamstats count as src_user
| eval src_user=if(src_user<=100,"0",src_user )
| eval src_user="src".printf("%06d",src_user), count=substr("".random(),4), datasource="tstats"
PS: | eval src_user=if(src_user<=100,"0",src_user ) eval has been added in raw event to rename first 100 events as src000000 so that not all events from search matches data in lookup.
4) Once Lookup file using Step 1 and Step 2 is created and you have run a new search with Query 3 to generate your sample events you can match the srcuser field in raw event with domain field in lookup and filter only matched domains using the following command:
| lookup localtestdata.csv domain as src_user outputnew domain as domainFromLookup
| search domainFromLookup!=""
| fields - domainFromLookup
... View more