When I've hit a similar issue, my approach was similar to yours, but I couldn't figure out a way to pass the lookup table name as a variable. So instead, I sorted the values I needed to lookup into different variables, based on the if / case statement describing them. In your case, I think that would look like this:
sourcetype=WinEventLog:PowerShell `PS_Command_Filter` `PS_Cmd_Rules` NOT
[| inputlookup Powershell_Path_WL.csv
| fields Powershell_WL
| rename Powershell_WL as Path ]
| lookup Powershell_Blacklist BlacklistedPS as Command_Line OUTPUT Alert | eval Command_Line=substr(Command_Line,1,100)
| rex field=ComputerName "\.(?<Domain>.*)"
| table _time, ComputerName, EventCode, Type, Sid, LogName, Path, ScriptBlock_ID, Alert, Command_Line, recipients
| where isnotnull(Alert)
| eval somedomain_sid=if(Domain=="somedomain.whatever.com", Sid, NULL)
| eval someotherdomain_sid=if(Domain=="someotherdomain.whatever.com", Sid, NULL)
| lookup ldap_identities_sat sid as somedomain_sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city
| lookup ldap_identities sid as someotherdomain_sid OUTPUT identity as user, nick as user_nick, bunit as user_bunit, category as user_category, email as user_email, watchlist as user_watchlist, work_city as user_work_city
| makemv delim="|" allowempty=true user_category
With this approach, the Sid values are separated into somedomain_sid and someotherdomain_sid based on the Domain value, and then the appropriate lookups are consulted for each.
... View more