Grateful if anyone can help or guide me in the right direction. I am running a search against a lookup table. The output is a list of websites that were accessed. The website and source address are in index1. I want to use the source address to search in index2 to locate the user assigned to that IP address. Matching is working well and I am stuck how to proceed with the 2nd search query. index=index1 domain=* OR index=index2
| lookup weblist.csv domain AS domain OUTPUT domain AS MATCHED
| where isnotnull(MATCHED)
| table _time, MATCHED, src, user In Index2, src_ip and user fields exist.
... View more