This is returning 0 results.

I've checked the permissions and availability of the lookup file, all good.

I've run the desired query explicitly, and it returns many results.

Even this:

index=index1 [ | inputlookup tenants.csv
| eval new_field=tenant ```<--- forgoing the append```
| table new_field]

is not returning anything.

OK, I found a different thread and can see that I have to use "search" in the eval.  Awesome.  But now instead of getting '(tenant1xxx OR tenant2xxx OR...)' I am only getting tenant1xxx

You did not get essence of @PickleRick's solution.  In subsearch (weirdly enough but documented nontheless), meta-keyword search has a special meaning.  You cannot replace it with any other string. (Actually, t here is ONE synonym:-)  But @PickleRick forgot to close subsearch.  See explanation in my alternative.

Yeah I tried your too, no dice.  I missed your reply here, but if you look above I am now adding the meta search to the subsearch.  The issue is that it is only adding the first lookup value

Ahhhhh got it, when i added [| format] it worked.

And I'm just now seeing your suggestion @yuanliu ,  Thanks!

To diagnose, run

| inputlookup lookup.csv
| stats values(eval(tenant."xxx")) as search
| format

This gives you the exact string passed to main search.

Alternatively, run

| inputlookup lookup.csv
| fields tenant
| eval search = tenant."xxx"

This way, you can see line by line substitution.  If not, you need to post output of this diagnostic. (Anonymize as needed but must reproduce structure/characteristics precisely.)

Then, test

| inputlookup lookup.csv
| fields tenant
| eval search = tenant."xxx"
| format

well, now I have a new issue.  Since the tenant field is changed over to 'search', how can I stats by tenant?  Do i just use the lookup file again?

One problem at a time 🙂 Your ask was free-hand search without matching specific field name.  It is perhaps best to close this one and post another question with the need to extract freehand strings based on lookup values?  These are very different search techniques.  You will need to explain your lookup AND event data more specifically than mock values tenant1 tenant2 tenant3 and xxx.  In particular, what does appended "xxx" signify?  How would they appear in event data?  (Anonymize, but be specific enough for volunteers without intimate knowledge about your data to be helpful.)

Further, looking at the job I see this:

litsearch (index=index1 (tenant="tenant1xxx" OR tenant="tenant2xxx" OR tenant="tenant3xxx" OR tenant="tenant4xxx") (splunk_server::splkindx* | fields  keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" "new_field"

which is almost what I want.  Again, the tenant field does not exist in the original index, I am looking for the explicit string "tenant1xxx" etc.

Don't forget to close subsearch 🙂  Here is an alternative to save a command.

index=whatever [ | inputlookup lookup.csv
| stats values(eval(tenant."xxx")) as search]

Copy-pasted and missed that closing one. Good catch.