Thanks for this interesting suggestion. I have tried applying this, but I'm getting strange results. Consecutive identical searched is returning different results. My suspicion is that different parts of the search is performed asynchronously, causing the data in an earlier version of temp.csv being read before the new version of temp.csv is written. Could this be possible? Note: I'm using "| inputlookup temp.csv" inside a subsearch. Maybe the subsearch is executed asynchronously with the main search? UPDATE: after looking at the Splunk documentation on subsearches, I read this: "The subsearch is in square brackets and is run first. " This explains the strange behaviour.
... View more