Hi! I have create a search that uses a dynamic lookup to find events in some index looking at the raw: ................... Lookup.csv ................... id value .. .......... 1 one 2 two 3 three .................................... sample-index Events .................................... 2020-01-17 11:42:37 Sample event one 2020-01-17 11:42:33 Sample event five 2020-01-17 11:42:31 Sample event two Query: index=sample-index [ | inputlookup Lookup.csv | table value | rename value as search | format ] | table _time , _raw It works fine and returns the Event 1 and 3 but I want to list the values of the lookup that has matched the events (in this case it should return "one" and "two"). I think that it should be done counting the matches of all the values of the lookup in the results but I don't know how to do it. The csv is generated every day so I can't put the values on the query. Do you have any idea how to do it? Thanks! ... View more