Thanks again for your help and support.  The last search wasn't what i was looking for, but i did get some internal support from a cross team member.  Here is what i was looking for but i just need to modify the table outputs etc to clean it up.  Wanted to reply back so everyone can see and understand the concept. I am needing to do a subsearch on the inputlookup file searching on a column called "Asset type...." for only Windows server in this example.  Then we rename and match up the key/column name in lookup csv file to internal Splunk value of "host" so all records will search as host so splunk doesnt get confused.  Host is the default name in our splunk server for Windows event logs hostname so need to match that up.  Rest is below. index=wineventlog* EventCode=4720 [| inputlookup Inventory.csv | search "Asset type / Class" = "Windows Server" | rename "Asset Name" as host | fields + host] | where Account_Domain=host     ----to keep local account lookups not including domain accounts------ | eval Subject_Security_ID = mvindex(Security_ID,0)    | table user, host, Subject_Security_ID   -----will need to add more here to get exactly what i need----   ... View more