Hi @Sunjux , Ugh, that is strange, I don't know what kind of data would result in "invalid" for the typeof() function. Is there no visible difference between query and csv_query? Maybe one of them in quotes and the other not or something like that? What you could try is to transform both of them to string. But I am not sure if it works with the csv_query in that case. See if the "confirmation" SPL works like that: sourcetype="isc:bind:query"
| stats count(query) by query
| sort - count
| fields query
| eval query=tostring(query)
| appendcols
[| inputlookup DnsQueryLog.csv | eval query=tostring(query) | rename query as csv_query]
| eval compare=if(query==csv_query, "equal", "not_equal")
| eval type_of_query=typeof(query)
| eval type_of_csv_query=typeof(csv_query) If that works, you might want to try the initial SPL again like this: sourcetype="isc:bind:query"
| stats count(query) by query
| sort - count
| fields query
| eval query=tostring(query)
| search NOT
[| inputlookup DnsQueryLog.csv | eval query=tostring(query) | fields query]
... View more
