You’re close
Do this instead:
index=*_abc [| inputlookup deattackerv1.csv | rename ip as src_ip]
| stats count by src_ip,index
This will use the inputlookup the way you want it to (ie, only match IPs that are in it)
from User warren – Stack Overflow https://stackoverflow.com/questions/67874897/subsearch-produced-221180-results-truncating-to-maxout-10000/67878662#67878662
via IFTTT