Hi, In the past (Splunk Enterprise v 7.x.x) I used the below search to run a report every few min. There were so many results that due to limitations I had to run them 1 day spans. I needed to do this for 6 months of data so I automated the process with a repeating report... I would run this search to create the first entries which is necessary of the next step index="app" sourcetype="api" type=log* | eval time=_time | sort time desc | table time type version | outputlookup append=false My_file.csv Then I created a report , set it to run every 1 or 2 minutes with the below search. It basically looks at the earliest date in My_file.csv file, then adjust the earliest and latest times for the main search. index="app" sourcetype="api" type=log* [| inputlookup My_file.csv | stats min(time) as mi | eval latest=(mi-0.001) | eval earliest=(latest-86400) | return earliest latest] | eval time=_time | table time type version | sort time desc | outputlookup append=true My_file.csv It just runs the search with the timeframe in my Splunk time picker. It doesn't seem to take the earliest and latest from my 'return' command in the subsearch. If I try running the subsearch only, then I do get a result... | inputlookup My_file.csv | stats min(time) as mi | eval latest=(mi-0.001) | eval earliest=(latest-86400) | return earliest latest Give me the below results, so I don't get why the value isn't used in the top search earliest="1642374033.873" latest="1642719633.873"   It works though if I do a map, but that's not a viable solution due to the high volumes... | inputlookup My_file.csv | stats min(time) as mi | eval latest=(mi-0.001) | eval earliest=(latest-86400) | table earliest latest | map maxsearches=10 search="search index="app" sourcetype="api" type=log* earliest="$earliest$" latest="$latest$""   What's frustrating is that this used to work and now I need to do the same exercise and I can't use it again. Does anybody have an idea why it's not working? Have you experience similar issues? Thanks ... View more