Hi,
As the enrichment you want to do is based on very ephemeral data, you may want to do this at Ingest Time instead of at Search Time.
Splunk 8.1 introduced a feature called Ingest-Time Lookups. The idea is to do a lookup based on a given field in the event, get lookup results returned that you then store in an indexed field in the event at index time. Your use case sounds like a proper fit for Ingest-Time Lookups.
A way to achieve what you want is the following:
You may want to synchronize the ip_container_mapping.csv file from the Search Head that generates it to the indexers/or HF to keep your CSV up to date. If you are pulling the flow logs in with a Heavy Forwarder the easiest way to do this would be to let the HF query the Splunk indexers and save the CSV on the HF, then set up the INGEST_EVAL on the HF.
Example for point 2 which will give you an indexed field asset_name being looked up based on the src_ip in the event, returning a column in the CSV file called container_name :
<your_sourcetype_name>
INGEST_EVAL = asset_name=json_extract(lookup("ip_container_mapping.csv",json_object("src_ip", src_ip), json_array("container_name")), "container_name")
@mbjerkeland_spl - thanks for the suggestion, I'll look into this.