Hi @barneser,
As I said, the fieldname that you use in lookup (ip_lookup) must be already extracted in your logs and must have the same name, otherwise you cannot use this search.
In other words, if in your logs there's a field called "ip", you have to rename the field in the lookup
index = * [|inputlookup Test_www.csv |rename ip_lookup AS ip | fields ip ]
| ...
If there isn't any field in your logs you have to use the second search I hinted:
index = * [ | inputlookup CTI_Test_www.csv | rename ip_lookup AS query | fields query ]
| ...
Ciao.
Giuseppe
... View more