Hello @richgalloway I have followed the query and this is how I should write it. First query: (index="main" OR index="c3d_infra") sourcetype="aws:description" aws_account_id="*" region="*" source="*:ec2_instances" | search private_ip_address="172.19.122.6" Second query: " index=c3d_security host=ip-172-23* rule=corp_deny_all_to_untrust NOT dest_port=3031 | table src_ip dest_ip transport dest_port application" If I merge it , please check below. sourcetype="aws:description" s1_field4="Completed" | search s1_field1=$from_token$ | append [ search sourcetype="pan:traffic" | rename s2_field1 as s1_field2 ] | stats values(*) as * by s1_field2 | table s1_field2, s1_field1,s2_field2,s2_field3 or do I have to write like this. " index=c3d_security host=ip-172-23* rule=corp_deny_all_to_untrust NOT dest_port=3031 | table src_ip dest_ip transport dest_port application" | sourcetype="aws:description" s1_field4="Completed" | search s1_field1=$from_token$ | append [ search sourcetype="pan:traffic" | rename s2_field1 as s1_field2 ] | stats values(*) as * by s1_field2 | table s1_field2, s1_field1,s2_field2,s2_field3   ... View more

I have used this query at the end of the search and it worked. | join type=left Rule [inputlookup ignore_cve.csv | eval flag="0"] | search NOT(flag=0) | where isnull(flag) I also tried your option which you have suggested and please find the result below. NOT [| inputlookup ignore_cve.csv | fields Rule | rename Rule as CVE] but I am still getting the error though I have used "CVE"    ... View more

Rule is the field name. ... View more

I have added this " | search NOT [|inputlookup ignore_cve.csv]" but I am still getting all the CVE's which I dont want in my report. ... View more

I am sharing the query with you here so kindly advise.   `aws-inspector-findings` serviceAttributes.assessmentRunArn="*" `aws-inspector-rex-arn` | search (accountId="*") (region="*")| dedup arn| search (severity="*")| spath OUTPUT=agentId assetAttributes.agentId | where isnotnull(agentId)| eval CreatedAt=substr(createdAt, 1, 19) | join type="left" serviceAttributes.rulesPackageArn [search `aws-inspector-runs` arn="*" | dedup rulesPackages{}.arn | rename rulesPackages{}.arn as packageArn, rulesPackages{}.name as packageName| eval row=mvzip(packageArn, packageName, "|") | mvexpand row | rex field=row "(?<packageArn>.*?)\|(?<packageName>.*)" | table packageArn packageName | rename packageArn as "serviceAttributes.rulesPackageArn"]| rename packageName as "Rules Package"| eval Links = if(isnotnull(agentId), "<a id=topology_link>Show in Topology</a> | <a id=ec2_link>Show Instance Details</a>", "") | sort -numericSeverity | join agentId type="left" [search earliest=-1d `aws-description-resource((aws_account_id="*"), (region="*") , "*")` | rename id as agentId ] | rename severity as Severity, id as Rule, agentId as "EC2 Instance ID", tags.Name as "EC2 Instance Name"| fillnull value="N/A" | table Severity, "EC2 Instance ID", "EC2 Instance Name", "Rules Package", Rule, CreatedAt, Links, title, description, recommendation, numericSeverity | search NOT [|inputlookup ignore_cve.csv] ... View more

  @s2_splunk here is the csv file for your reference and also I will try the suggestion, keep you updated.  ... View more

I have followed the below article. https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-inputlookup-command-Invalid/m-p/227023 Added this to my search : NOT [|inputlookup ignore_cve.csv | fields CVE Number, DateAdded, Reason, CVSS Score] But again getting this error : Error in 'table' command: Invalid argument: 'DateAdded=2021-09-09'   ... View more

Hello @s2_splunk Thanks for your response and yes this is what I am looking for but seems one more error I am getting " Error in 'table' command: Invalid argument: 'CVE Number".. CVE Number is my column name and table with vulnerabilities which I dont want to be in my search. Regards, Neelesh Tiwari  ... View more