Searching a lookup file named foo.csv that contains "field1" and "field2" is simply ... | lookup foo.csv field1 OUTPUT field2 .
This means you will need a field called "field1" before calling lookup . The SPL for that is index=myindex field1="*" | lookup foo.csv field1 OUTPUT field2 .
What if your events don't have a field called "field1"? The lookup command allows for that as in this example
index=myindex username="*" | lookup foo.csv field1 as username OUTPUT field2 as displayname | table username displayname
... View more