Thank you....I'm guessing this is the only way to do it?  Add-on is required?  I see it does offer the ability to look at Auth info as well which we are interested in.  Thanks for the reply.  I'll look into it!!  🙂 ... View more

Thanks Rich, appreciate your help!! ... View more

I think I found it at this posting https://community.splunk.com/t5/Splunk-Search/inputlookup-compare-the-field-values-in-my-logs-with-lookup/m-p/210673   index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | table email | rename email as SenderAddress ] earliest = -90d this seems to give me the events i'm looking for....now I just need to organize the events by IP Address ... View more

sorry, i'm not understanding.  when I search using index=app_messagetrace sourcetype=ms:o365:reporting:messagetrace [ | inputlookup AllSenders.csv | return 1000 email ] earliest = -90d.....I get 0 results.  I think it's because it doesn't realize what "email" is in the actual log....so I want to connect it to SenderAddress.....I see you have written "The subsearch runs first, reads in the lookup file then formats the first 1000 results (you can change that number) into (email=foo OR email=bar OR ..." but I'm not sure how to change the query for my purposes....sorry I'm new at this....been reading and watching tutorials but finding it a bit confusing. ... View more

thanks for the quick reply Rich.  I realize now the heading in the csv is "email" but in the log data, i want it to search by SenderAddress...how do I indicate this in the query? ... View more