Hi all, I've got a lookup file called devices.csv that contains 2 fields, hostname and ip_address. The index I'm searching has 2 fields, src_ip and dest_ip. I'd like to exclude results where both the src_ip and dest_ip fields match an IP address from my lookup file, it doesn't need to be the same IP, it just needs to be listed in that CSV. If either the src_ip field or the dest_ip field doesn't contain an IP address listed in the ip_address field I would expect to see it. I'm just looking for advice on whether this is the best way of querying the data. Current query: index=network_traffic AND NOT ([| inputlookup devices.csv | fields ip_address | rename ip_address AS src_ip] AND [| inputlookup devices.csv | fields ip_address | rename ip_address AS dest_ip]) ... View more