So, if I understand correctly, you want to get data from an index relating to all hosts in the lookup and then get the timestamp from the lookup. index=index sourcetype=sourcetype [| inputlookup yourlookup.csv | fields host ] | lookup yourlookup.csv host What this is doing  Line 1 - search your index  Line 2 - Use a subsearch to add an additional constraint on your line 1 search which is derived from all the hosts in your lookup file. Line 3 - then for all the events found from the above search, lookup the host in the event from the lookup file and get the timestamp. I am sure there is more to your needs than just this, but hopefully this will help you get started.   ... View more