Hi,

I'm pretty new to Splunk and I have a simple question that maybe one of you guys could help me figure out. I have a search that I'm using to find the latest login events for a specific set of users. The problem is that there are about 130 users and I tried specifying the users in the search using (Account_Name=user1 OR Account_Name=user2 OR Account_Name=user3.......) I tried entering all 130 but it didn't work I noticed there was a limit after some point, and then I'd stop receiving results. So I did some research and I noticed people mentioned lookup files. So I created a CSV file with the list of actual users that I'd like to run a report on. how can I join the lookup file to the query so I'm only joining the values from the "UserID" field in my lookup table to the field "Account_Name" that comes with the windows event logs that I'm using to build the query. So far this is my query how could I use the lookup to assist to only filter the 130 users. 

index=wineventlog sourcetype=wineventlog EventCode=4624 Account_Name!=*$
| stats latest(_time) as last_login_time by Account_Name
| convert ctime(last_login_time) as "Last Login Time"
| rename Account_Name as "User"
| sort - last_login_time
| table User "Last Login Time"