Assuming your lookup file containing the user ids has the column name "Account_Name" which matches the field name in the windows events, you can do something like this: index=wineventlog sourcetype=wineventlog EventCode=4624 [|inputlookup my_lookup_file.csv | fields Account_Name]
| stats ......
.....
.... I verified it, it works in my env. Just make sure the column_name / field_name in lookup is correct to based on what you want to filter on. PS: Hit "MARK as Answer" if this solves your query.
... View more