Lucky for you, this is a simple syntax question. A join won't work unless the fieldnames match.
Familiarize yourself with the fundamentals of subsearching:
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Useasubsearch
and lookups:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources
Anytime you do a lookup or a subsearch, in order to match/filter, your fields have to match.
Your main search is as follows:
index="my_summary" [| inputlookup lookup.csv | rename ip as query | fields query source ]
In this example, you've queried Splunk, "given values for the fields 'query' and 'source' in lookup table 'lookup.csv,' find me results in index 'my_summary.'"
This is your problem. Since you're looking to filter against any of the following fields srcIP, dstIP, srcPORT, dstPORT, source, those are fields that need to homogenize between your lookup table and event data. Those fields may only exist in your event data, but not your lookup, which is why you renamed the ip field.
Are you looking to match resultant data with a lookup or use the lookup to look for only that matches? Subtle, but distinct difference for your search, depending on size of data we're talking about here.
You can get very similar data either way, but I'll let you decide which between the chicken or egg comes first.
Try something like this:
index="my_summary" | lookup lookup.csv ip as srcIP | top 20 srcIP dstIP srcPORT dstPORT
... View more