1. How I can create and write the results into that csv file? Use a saved search and run it for a day's data (Example: yesterday) and then write it to a lookup (preferably kvstore lookup). Since you have two searches write the output to 2 lookups. 2. How I can setup automatic update of that csv file?  Schedule your first saved search to run it and update to lookup daily at 6am, Schedule your second search to run and update lookup at 6:30am Your final search query (shown below) which is matching the events from the two lookups should run at 7:00am and write it to a third lookup which will be your final lookup with matching events. |inputlookup firstlookup |lookup secondlookup fieldname ... View more

Since you have 500k events, JOIN command doesn't work as it is limited to 50k events. Try the following: 1. Write the data from the first search before JOIN command in your query to a lookup file (data_lookup_1.csv), 2. Write the data from the sub search to another lookup file (data_lookup_2.csv), Your final query: | inputlookup data_lookup_1.csv | lookup  data_lookup_2.csv EntityId Try it and let me know if it works. ... View more