Create lookups using the Splunk App for Lookup File Editing and use the lookups in searches and dashboards to reduce noisy alert volume. Lookups help to add context and track changes during an investigation, manage asset and identity correlation with events, match threat indicators with events, and enrich dashboards and panels with information.

You can separate the fields that indicate regular business traffic instead of risk using lookups.

For example, in the following search the NOT statement excludes the data model prefix Web. from the search results using the RR_Proxy_Allowlist.csv lookup:

index=proxy http_method="POST" NOT [| inputlookup RR_Proxy_Allowlist.csv | fields Web.src Web.dest | rename Web.* AS *] You could also do this with a datamodel: | tstats summariesonly=t values(Web.dest) as dest FROM datamodel Web.Web WHERE Web.http_method="POST" NOT [| inputlookup RR_Proxy_Allowlist.csv | fields Web.src Web.dest] BY _time,Web.src