I have a base search below but I need to use a time_window that is in table since various logs come in at diff times and I'm trying to create alerts for indexes not reporting but I dont want false positives for indexes that have a expected time lag.  splunk_security_index is used to get a specific subset of indexes.     | tstats max(_time) as _time where index=* by index sourcetype | lookup splunk_security_indexes.csv index as index OUTPUT index time_window | eval time_window="-7d@d" | where _time < relative_time(now(),'time_window') ... View more