We have a list of Ips in a lookup table and we want to search events that doesn't match with them.
The lookup definition "scanners_lookup" has a field called "Ip_Scanner" and the events in the index we are looking for has another called "source_ip". How do we build the search? We have tried several approachs that don't work.
index=my_index | lookup scanners_lookup Ip_Scanner | where source_ip != IP_scanner
... View more