Hi @adamhands96, no you can run a single search: index=my_index ([ | inputlookup IOC1.csv | rename IP AS src_ip | fields src_ip ] OR [ | inputlookup IOC1.csv | rename Ip AS dest_ip | fields dest_ip ]) NOT ([ | inputlookup IOC2.csv | rename IP AS src_ip | fields src_ip ] OR [ | inputlookup IOC2.csv | rename Ip AS dest_ip | fields dest_ip ]) | ... Ciao. Giuseppe ... View more