Completely new to Splunk, and hoping to find help with a search I'm using for a dashboard, but cannot get this working. I am using the following search to return a table of events based on the "BKSTAT" field, which I setup as a field extraction (which is basically the value of "Success" or "Failure" etc for a backup job in the "backuplogs" sourcetype and outputs to a table by host name:- sourcetype=BackupLogs BKSTAT=Successful OR BKSTAT=Canceled OR BKSTAT=Failed [search * | eval earliest=if(lower(strftime(now(),"%A"))="monday", "@w5", "-1d") | return earliest ] | stats latest(BKSTAT) by host Table Output: Host BKSTAT ServerA Successful ServerB Successful ServerC Failed Server1 Successful (Want to include this server with logs from a different lookup date) The above search works fine and if it runs on a Monday, it captures the log from before the weekend, otherwise it captures the log from the previous day as needed for several hosts that backup daily. We have another server, lets call it "Server1", that has backup logs which populate the same "backuplogs" source. However this server only backs up on a Friday. I need to modify this search so events for "Server1" are always returned looking back to the previous Friday, ie earliest set to "@w5" solely for this server Is there anyway to incorporate this servers events in the table as per example above alongside the existing search, but specifying the different time range lookup for just this host? ... View more