I'm currently collecting IoCs in terms of IPs and Domain names and want to run searches towards my historical log-data to find infected computers. Currently I'm putting the data into two lookup files and structured the data like this: Dangerous,Dangerous2 IP,IP IP2,IP2 And the same for Domain. This is the search I'm running for the IPs: index=*Logdata for analysis* sourcetype=*Firewall* | lookup Dangerous_Ips.csv Dangerous AS dest_ip OUTPUT Dangerous2 AS dest_host2 This works fine as the new field dest_host2 includes all the matches and i have verified this by adding known IPs from the logdata. However the searches seem to take a long time, and I'm not sure if its due to my non-optimized search or that its just too much logdata. My goal was to search through the last 7 days each day, however that will on average be 168 000 000 log rows and when i tried it now searching the first day took about 2h. Time is not critical to me but 10-12hours for one search feels a bit to long. Is there anything i can do with my lookup search or the data layout in my lookup file, or i just need to accept the fact that it will take a lot of time? ... View more