A simple lookup simply needs to specify a filename in transforms.conf, as shown here:
[testlookup] filename = test.csv
Assuming that test.csv contains the user and group columns and our events contain the user field, we can reference this lookup using the lookup command in search, as follows:
* | lookup testlookup user
Otherwise, we can wire this lookup to run automatically in props.conf, as follows:
[mysourcetype] LOOKUP-testlookup = testlookup user
That's all you need to get started, and this probably covers most cases. See the Using lookups to enrich data section in Chapter 7, Extending Search, for instructions on creating lookups.