thanks @gcusello

Actually, my requirement is to get these 510 events where the key matches the new key.
Also to get 510 events where the key-value matches the new key generated
in subquery where only generates a list of latest url_time combination as a new key

index="yut" sourcetype="test"  cd IN(*)  level="rrr" severity="error" 
| eval evtdate = strftime(_time,"%Y-%m-%d")
| eval CD=cd 
| eval key=_time + url (this query is giveing me 504 key)
| append ----------------( want to use here append)
[ search index="yut" sourcetype="test" cd IN (*) severity="error" | eval  CD=cd 
| eval evtdatein = strftime(_time,"%Y-%m-%d")
| sort by _time desc
| dedup url | eval newkey=_time + url
| table newkey]  --------------(this query is giving me 6 newkeys)

Hi @hrs2019,
let me understand: you want to find keys in the last period that were present also before?

I continue to see that the searches are the same, so results are the same, if you speak of latest url _time combination you have to insert a different time frame in the subsearch (something like earliest=... latest=...)

If this is you need, I answered to a similar question few days ago ( https://answers.splunk.com/answers/823555/how-to-search-data-which-is-not-present-in-the-las.html#an... ).

So you could try something like this (e.g. last period is the last 24 hours and the full period is 7 days):

 index="yut" sourcetype="test"  cd=*  level="rrr" severity="error"
 | eval new=if(now()-_time<86400,"yes","not")
 | eval key=_time + url
 | stats dc(new) AS count values(new) AS new values(key) AS key
 | where count>1 AND new="yes"
 | table key

Ciao.
Giuseppe