I like this answer, but I want to point out one additional thing. IMO, you should always define a default to return if there is no match. In the UI, you will find it in the "advanced options" when you are setting up a CSV-based lookup.
If you set the default match to "unknown", you can use that to filter searches as well. This is particularly useful when you can't use the subsearch. For example, let's say that this [inputlookup banned_ips] fails because there are too many items in the lookup table. You could use the same table, and do this instead
sourcetype=weblogs | lookup banned_ips clientip OUTPUT status | where status="unknown"
This would only list the events where the clientip has NOT been banned. This is a variation of the "is_bad" example, but it can be easier to set up, depending on how you obtained your lookup table.
Tutorial on Setting Up a Lookup
Lookup field matching rules in transforms.conf
... View more