Good Day!
I am trying to figure out a way to compare a csv file to a search and return only what is in the CSV file that was not in the search. Im taking an email list and doing a search for all emails received my end goal is to figure out emails in the csv that haven't received an email in x days.
I have tried:
index=proofpoint
sourcetype=pps_messagelog
| rex field=envelope.rcpts{} "(\@(?<PP_To>[a-zA-Z0-9]+.+))"
| search envelope.rcpts{} = *
| rename envelope.rcpts{} as "PP_Rcpts"
| append
[ inputlookup DL_List.csv
| fields PP_Rcpts, "Display Name" ]
| table PP_To,PP_Rcpts, "Display Name"
| stats count by PP_Rcpts
| search count=1 | lookup DL_List.csv PP_Rcpts as PP_Rcpts output PP_Rcpts,"Display Name" | search PP_Rcpts!=""
I.E
CSV
a
b
c
d
e
f
g
Search Return
c
d
e
f
h
i
j
Wanted Results ( after CSV lookup)
a
b
g
... View more