I'm getting confused 🙂 If you want to use the lookup to - well - look up values from the lookup, don't use subsearches and inputlookup. Use the lookup "straight". <your search> | lookup yourlookup.csv inputfield [possible output fields] If you want to limit your search by using the lookup to create additional conditions, you'd still need to use your subsearch (but again - without the IN clause and return - just use the subsearch and let splunk do its magic with formatting the output of the subsearch). Remember that subsearch is getting evaluated before your main search and returns a static text which is substituted into the main search. So if you want to use the same lookup twice in two different ways (once for creating additional conditions, and once for enriching the results), you have to call it twice in two different ways. <your search> [ | inputlookup yourlookup.csv      | whatever      | table origDeviceName ] | lookup yourlookup.csv origDeviceName OUTPUT whatever output fields you want This way the subsearch would get evaluated first, and that would effectively produce the main search as: <your search> (origDeviceName="value1" OR origDeviceName="value2" OR origDeviceName="value3"...) | lookup yourlookup.csv [...] So for every result from the search the lookup against your csv file would be performed and return the defined set of fields. You can't do that all with just one (input)lookup. Especially within the subsearch since it's evaluated just once before the main search. ... View more