OK. So leaving the lookup aside for a while, the problem is still more complicated because you need to combine {"key":something,"value":other_something} into something=other_something. And it's a non-trivial task. Yes, I saw that you've been doing a mvfind/mvindex-based evals but they don't have to work properly if your data would have missing/empty fields so I'd approach it a bit differently. I'd try something like that: Start with the data from your index index=metadata Parse out the list into array of json structures | spath path="Tags{}" output=tags now we can find the single json object which has the proper key: | eval Domain=mvfind(tags,mvindex(tags,"\"Key\"\s*:\s*\"Domain\"")) And now we can parse out our Domain from the "sub-json" |  spath input=Domain path="Value" output=Domain After this you'd have your Domain field properly parsed out. Now there are two approaches you can do. Both will be similar in terms of performance since you have to firstly dig through all your data anyway. One approach is to use a subsearch to generate a list of conditions for the Domain value | search [ inputlookup snow_sys_applications.csv      | where support_group="$your_token$"      | rename u_cloud_domain as Domain | table Domain ] The alternative approach could be to use the lookup and get the support_group field from the lookup based on the u_cloud_domain field looked up from the Domain field and then filter with support_group condition. Unfortunately, because your data is not well-structured, you can't do a simple search for Domain=something. You can improve your search efficiency a bit by adding the u_cloud_domain values to the initial search (without any particular field to match) so that Splunk can limit its search only to those events which have this value anywhere. Depending on your data it might give a significant performance boost or none at all. ... View more