Hi @gcusello I can rename my field like below, |inputlookup tci|search indicator="*"|rename tag.name as tag|table indicator tag Also I looked into definition of tci lookup where I could see in supported field column it is, "tag". So I ran the query as below, sourcetype="ms:o365*" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag|where isnotnull(type)|dedup indicator|table indicator tag Now I am not getting any error, but my tag column is empty. Then I tried running the below query without renaming tag.name field since tag field was supported in earlier query, |inputlookup tci|search indicator="*"|table indicator tag Here it says, I can rename my field like below, |inputlookup tci|search indicator="*"|rename tag.name as tag|table indicator tag Also I looked into definition of tci lookup where I could see in supported field column it is, "tag". So I ran the query as below, sourcetype="ms:o365*" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag|where isnotnull(type)|dedup indicator|table indicator tag Now I am not getting any error, but my tag column is empty. Then I tried running the below query without renaming tag.name field sice tag field was supported in earlier query, |inputlookup tci|search indicator="*"|table indicator tag Here it says, No field match the criteria.I can rename my field like below, |inputlookup tci|search indicator="*"|rename tag.name as tag|table indicator tag Also I looked into definition of tci lookup where I could see in supported field column it is, "tag". So I ran the query as below, sourcetype="ms:o365*" | rename SenderAddress as indicator |lookup tci indicator output type,rating,tag|where isnotnull(type)|dedup indicator|table indicator tag Now I am not getting any error, but my tag column is empty. Then I tried running the below query without renaming tag.name field sice tag field was supported in earlier query, |inputlookup tci|search indicator="*"|table indicator tag Here it says, No matching fields exist.
... View more