https://community.splunk.com/t5/Splunk-Cloud-Platform/Filter-events/m-p/669130#M2630 <P>To dIagnose these problems run the outer search on its own and the inner search on its own.</P><P>You are using join, which is not necessary and may be the issue depending on your data size.</P><P>You don't need the table commands all the time and you seem to be duplicating your time parsing (time and _time).</P><P>Not sure you need reverse either - in the join, you are reversing to get the first timestamp, which in practice without the reverse would be the oldest _time, so you could just to earliest(timestamp) instead without reverse.</P><P>&nbsp;</P> Mon, 20 Nov 2023 00:52:24 GMT bowesmana 2023-11-20T00:52:24Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Filter-events/m-p/669023#M2629 <P>Device_ID : 1 A.txt</P> <P>2021-07-06 23:30:34.2379| Started!<BR />2021-07-06 23:30:34.6808|3333|-0.051|0.051|0.008|0.016</P> <P>Device_ID : 1 E.txt</P> <P>2021-07-13 18:28:26.7769|**<BR />2021-07-13 18:28:27.1363|aa</P> <P>Device_ID : 2 E.txt</P> <P>2016-03-02 13:56:06.9283|**<BR />2016-03-02 13:56:07.3333|ff</P> <P>Device_ID : 2 A.txt</P> <P>2020-03-02 13:42:30.0111| Started!<BR />2020-03-02 13:42:30.0111|444|-0.051|0.051|0.008|0.016</P> <P>Query:</P> <LI-CODE lang="markup">index="xx" source="*A.txt" | eval Device_ID=mvindex(split(source,"/"),5) | reverse | table Device_ID _raw | rex field=_raw "(?&lt;timestamp&gt;[^|]+)\|(?&lt;Probe_ID&gt;[^|]+)" | table Device_ID timestamp Probe_ID | rex mode=sed field=timestamp "s/\\\\x00/ /g" | table Device_ID timestamp Probe_ID | eval time=strptime(timestamp,"%F %T.%4N") | streamstats global=f max(time) as latest_time by Device_ID | where time &gt;= latest_time | eval _time=strptime(timestamp,"%Y-%m-%d %H:%M:%S.%4N") | table Device_ID _time Probe_ID |join type=left Device_ID [ search index="xx" source="*E.txt" | eval Device_ID=mvindex(split(source,"/"),5) | reverse | rex field=_raw "(?&lt;timestamp&gt;[^|]+)" | stats first(timestamp) as earliesttime last(timestamp) as latesttime by Device_ID |table Device_ID earliesttime latesttime ] |where _time &gt;= strptime(earliesttime, "%Y-%m-%d %H:%M:%S.%4N") AND _time &lt;= strptime(latesttime, "%Y-%m-%d %H:%M:%S.%4N") |search Device_ID="1"</LI-CODE> <P>&nbsp;</P> <P>Filtering events based on E.txt earliest timestamp on A.txt.</P> <P>It is working for Device_ID 1 and not for Device_ID 2.</P> <P>Both logs are same format.</P> <P>It is not generating earliest and latest timestamp for device_ID 2. If i run subsearch alone, it is generating.</P> Fri, 17 Nov 2023 17:00:11 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Filter-events/m-p/669023#M2629 kirthika26 2023-11-17T17:00:11Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Filter-events/m-p/669130#M2630 <P>To dIagnose these problems run the outer search on its own and the inner search on its own.</P><P>You are using join, which is not necessary and may be the issue depending on your data size.</P><P>You don't need the table commands all the time and you seem to be duplicating your time parsing (time and _time).</P><P>Not sure you need reverse either - in the join, you are reversing to get the first timestamp, which in practice without the reverse would be the oldest _time, so you could just to earliest(timestamp) instead without reverse.</P><P>&nbsp;</P> Mon, 20 Nov 2023 00:52:24 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Filter-events/m-p/669130#M2630 bowesmana 2023-11-20T00:52:24Z