Hi, I have a search that I have been struggle for a few days. I have an index that contains two fields: type and Total_Count I have another CSV that contains similar fields: stype and sTotal_Count Now the index may have many row with same type and difference Total_Count, same on the CSV Purpose of the search is: for each row in index, find out how many row in CSV that have stype is equal type, and sTotal_Count is greater than Total_Count, then append the count to the table along side with type and Total_Count So I have test this inputlookup on CSV and it work fine | inputlookup typeA.csv where stype="A01" and sTotal_Count > 30 | stats count Then I would do something like this index="ktme_v7_measurement" | join [|inputlookup typeA.csv where stype=type and sTotal_Count > Total_Count | stats count as type_c] | table type Total_Count type_c But the type_c column is always 0 Then I found this question, he had same problem with me on passing field into subsearch answers/85076/passing-parent-data-into-subsearch.html but the answer was an outer search cannot pass values into a subsearch And now I'm stuck, I'm very new to Splunk so I can not figure out how to do my search here. Please help me, many thanks ... View more