the search query is working perfectly , i just need to show the dates from the csv. example if i run the search and the user matches for example 123@gmail.com , the date on the 123.csv for this user is 22/05/2023. It should show the date as well

OK - can you not simply do a lookup on 123.csv?

i try but not showing so i need your help with the query,

What have you tried so far?

i use table  and tried to put in stats and on the first line also to show , please help 

If you want more help, you will have to be more specific as to what exactly you have tried. I lost my mind-reading license after a misunderstanding with an African Prince!

---

@ITWhisperer wrote:

If you want more help, you will have to be more specific as to what exactly you have tried. I lost my mind-reading license after a misunderstanding with an African Prince!

---

hi

i tried last week to rename [date AS date | fields date ] in first line 

table at the last line i cannot remember , 

It is not clear from the way you appear to be approaching this what it is that you are actually trying to achieve. Please can you share some anonymised sample events, examples of the csv files and an explanation of the desired results.

this is the current result.  in my csv, there are 2 columns date and address - which is the sender address, which currently the query is working as shown above. after running the query, if there are any results, the date from the csv also should be shown in of the columns in the result table.

index=mail [ | inputlookup 123.csv | rename address AS query | fields query ]
| dedup MessageTraceId
| lookup email_domain_whitelist domain AS RecipientDomain output domain as domain_match
| where isnull(domain_match)
| lookup all_email_provider_domains domain AS RecipientDomain output domain as domain_match2
| where isnotnull(domain_match2)
| stats values(RecipientAddress) as Recipient values(Subject) as Subject earliest(_time) AS "Earliest" latest(_time) AS "Latest" values(Status) as Status by RecipientDomain SenderAddress
| eval subject_count=mvcount(Subject)
| sort - subject_count
| convert ctime("Latest")
| convert ctime("Earliest")
| lookup 123.csv address AS SenderAddress OUTPUT date

in my csv there are 2 colums , Event date and address

address is used for sender address to match the criteria.

so, after the query is run , if there are any results, the date from the csv, should be shown with the results.

the command which you gave i think it is wrong.

In what way is it wrong? What happened when you tried it?

in my csv there are 2 colums , Event date and address

address is used for sender address to match the criteria.

so, after the query is run , if there are any results, the Event date from the csv, should be shown with the results in another column

the command which you gave i think it is wrong.

The search job has failed due to an error. 

Please explain how being evasive helps your cause?

sorry i do not understand your question

How do you think providing short, and not very informative answers helps anyone help you solve your problem?

i have provided everything , i am sorry if i did not 

There was an error in what you just replied