Searching a lookup file named foo.csv that contains "field1" and "field2" is simply ... | lookup foo.csv field1 OUTPUT field2.
This means you will need a field called "field1" before calling lookup. The SPL for that is index=myindex field1="*" | lookup foo.csv field1 OUTPUT field2.
What if your events don't have a field called "field1"? The lookup command allows for that as in this example
index=myindex username="*" | lookup foo.csv field1 as username OUTPUT field2 as displayname | table username displayname
--- If this reply helps you, an upvote would be appreciated.