I've got a query I want to run on a daily basis, and write the results to a lookup (# of results once per day) then, I want to be able to query that lookup to pull the last 7 days counts. Is this possible? Is there a better way? I have a lookup file of IDS exclusions I am constantly updating and I want to be able to see how many results from the search I had each day; if I run the search at the end of the 7 days it wont be accurate because it would be against the lookup after 7 days of updates, so if I had 20 results on Monday and put something in the lookup that excluded those 20, I wouldn't have visibility when I ran it the next day since the lookup would exclude those 20 results. I was thinking if I could store the count somewhere each day and query that later, I wouldn't need to run anything against the exclusions lookup, I could just pull the historical counts I wrote.   Sorry if I am overcomplicating this, I'm new to Splunk so if there is a better way to do it please let me know! ... View more