What i wanted to do is a simple search in our Proxy logs to find accesses to known bad Domain names. Currently we do not have the threatintelligence-app installed.

I created a lookup table that only consists of one column called murl containing domain names hosting malicious sites.

| inputlookup table.csv produces a simple list

covidcyphers.com
covid19sci.com
suite401-covid19.com
covid-taskforce.com
titan-covid19.online

if i use that as a lookup in a search i do not get Matches, also when i use Domains included in the log.

index="proxy" | eval murl=url | lookup table.csv murl AS url OUTPUTNEW murl AS new| where dst like new
(i tryed also "%new%" and Things alike)

I then tryed to use inputlookup in a subsearch instead:

index="proxy" url !="" [inputlookup table.csv where url in(murl) ]

and it told me that the in function Needs a list of strings concatenated by commatas strin1,string2,string4

so i experimented with the Format/return (1000 $murl) commands

index="proxy" where url IN([inputlookup table.csv| fields murl| format "" "" "," "" "" ""])

but did not reach my Goal …

Is there a way to change the inputlookup result into a comma separated list to be used in the IN-function ?
Or does anybody have a search command that can do a partial match by a list of values provided by a lookup table ?

Thank you very much

Kai