@sbbadri - The user didn't say so, but the brackets indicate that this is a subsearch, so this solution will not work. if Source got passed back at all, it would act as a limit on the main search, rather than giving extra information.

@cusello - Not precisely the way I would do it, but it should work for moderate numbers of events and moderate numbers of records in the lookup. For larger numbers of records, I'd replace the mvexpand with a rex that pulls out those error values directly, rather than multiplying the number of records.

Something like this...

 your_search
    [ | inputlookup your_lookup.csv 
    | rename Error AS query 
    | fields query ]
| rex field=_raw [ | inputlookup your_lookup.csv 
    | table Error 
    | sort 0 - Error 
    | rex mode=sed field=Error "s/ /!!!!/g" 
    | format "(?i)(<Error>" "" "" "" "|" ")" 
    | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"]
 | lookup your_lookup.csv Error OUTPUT Source

Note that this is air code. I would test that rex-build subsearch with this first, to make sure the regular expression was well formed.

 | inputlookup your_lookup.csv 
    | table Error 
    | sort 0 - Error 
    | rex mode=sed field=Error "s/ /!!!!/g" 
    | format "(?i)(<Error>" "" "" "" "|" ")" 
    | rex mode=sed field=search "s/[ \"]//g s/^\(/\"(/g s/\)$/)\"/g s/!!!!/ /g"

Thanks a lot for your replies!

I receive this error:

Error in 'rex' command: The regex '(?i)(Error=not starting because the task should|Error=Error getting data)' does not extract anything. It should specify at least one named group. Format: (?...).

@HiroshiSatoh - This will work, but I'd only do it for very small numbers of error messages (no more than 10, or at most 20). map is very expensive for what you get.