There are two techniques for solving such problem and picking the right one might depend on your use case. One has been already shown by @gcusello and @ITWhisperer and involves a subsearch. This way you get a set of conditions for your main search by evaluating the subsearch which lists the entries from your lookup.  Another possible way of going about it is to run a general search and then use the lookup to filter the results Like index=<whatever> | stats max(_time) as latest_activity_time by user | lookup <your_lookup.csv> lookupuser AS user OUTPUT user AS matcheduser | search matcheduser=*   ... View more