https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470514#M192151 <P>Check if this query works for you. Note that below query sets <CODE>this_week_start</CODE> to <STRONG>2020/04/06 00:00:00</STRONG> (starting this Monday) and <CODE>last_week_start</CODE> to <STRONG>2020/03/30 00:00:00</STRONG> (starting previous week Monday) when I posted this answer.</P> <PRE><CODE>| inputlookup sample.csv | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S"), this_week_start=relative_time(now(), "@w1"), last_week_start=relative_time(now(), "-w@w1"), week = case(_time &gt; this_week_start, "thisweek", _time &gt; last_week_start, "lastweek", 1==1, "prior week") | stats count by test, week </CODE></PRE> Thu, 09 Apr 2020 17:14:57 GMT manjunathmeti 2020-04-09T17:14:57Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470513#M192150 <P>Hi Experts, I have a one month data inputlookup file i.e, sample.csv which contains two fields <STRONG>test</STRONG> and <STRONG>_time</STRONG>. I want to compare weekly data.</P> <P><STRONG>sample.csv</STRONG></P> <P>test _time<BR /> 101 202/04/02 14:02:18<BR /> 102 202/04/01 20:21:50<BR /> 101 202/04/05 02:09:12<BR /> 101 202/03/31 08:11:29</P> <P><STRONG>Expected output:</STRONG></P> <P>test count week<BR /> 101 2 thisweek<BR /> 102 1 lastweek<BR /> 103 1 prior week<BR /> 101 1 prior week </P> <P>like this.. please help on this and thanks in advance.</P> Thu, 09 Apr 2020 12:52:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470513#M192150 james_n 2020-04-09T12:52:57Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470514#M192151 <P>Check if this query works for you. Note that below query sets <CODE>this_week_start</CODE> to <STRONG>2020/04/06 00:00:00</STRONG> (starting this Monday) and <CODE>last_week_start</CODE> to <STRONG>2020/03/30 00:00:00</STRONG> (starting previous week Monday) when I posted this answer.</P> <PRE><CODE>| inputlookup sample.csv | eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S"), this_week_start=relative_time(now(), "@w1"), last_week_start=relative_time(now(), "-w@w1"), week = case(_time &gt; this_week_start, "thisweek", _time &gt; last_week_start, "lastweek", 1==1, "prior week") | stats count by test, week </CODE></PRE> Thu, 09 Apr 2020 17:14:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470514#M192151 manjunathmeti 2020-04-09T17:14:57Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470515#M192152 <P>@manjunathmeti , Thanks for the quick response, but this not working. all results showing as prior week only that to total count for 30days.</P> Fri, 10 Apr 2020 11:04:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470515#M192152 james_n 2020-04-10T11:04:29Z https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470516#M192153 <P>sample:</P> <PRE><CODE>| makeresults | eval _raw="test time 101 2020/04/02 14:02:18 102 2020/04/01 20:21:50 101 2020/04/05 02:09:12 101 2020/03/31 08:11:29" | multikv forceheader=1 | eval _time=strptime(time,"%Y/%m/%d %T") | eval today = now() | eval daysago=mvindex(split(tostring(today - _time,"duration"),"+"),0) | eval week=case(daysago&lt;=7,"thisweek",daysago &gt; 7 AND daysago &lt;= 14 ,"lastweek" , true(), "prior week") | stats count by test week </CODE></PRE> <P>Recommend:</P> <PRE><CODE>| inputlookup sample.csv | eval _time=strptime(time,"%Y/%m/%d %T") | eval today = now() | eval daysago=mvindex(split(tostring(today - _time,"duration"),"+"),0) | eval week=case(daysago&lt;=7,"thisweek",daysago &gt; 7 AND daysago &lt;= 14 ,"lastweek" , true(), "prior week") | stats count by test week </CODE></PRE> <P>How about this?</P> Fri, 10 Apr 2020 11:24:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-pass-earliest-and-latest-in-search-time-using-inputlookup/m-p/470516#M192153 to4kawa 2020-04-10T11:24:12Z