On your question about the performance impact, you might end up running into OOM issues and your search performance might also get degraded, as suggested by @to4kawa there might be alternatives available, if you can post your query and some mockup data and the desired output we can try to help you out ... View more

Hi @ahmadshakir1952 My answer updated. please confirm. ... View more

| makeresults | eval _raw="_time,unique_number,Name 12/9/2019 9:49,4782,John 12/9/2019 9:52,698,Andrew 12/9/2019 9:56,2487,Marshal" | multikv forceheader=1 | eval _time=strptime(time,"%m/%d/%Y %H:%M") | table _time,unique_number,Name | rename COMMENT AS "this is sample you provide" | rename COMMENT AS "From here, the logic" | eventstats range(_time) as time_check | eval comment=if(Name="John" AND unique_number=4782 AND time_check <= 60 * 20,"matched","not matched") | table _time,unique_number,Name,comment Hi, @ahmadshakir1952 I don't understand subsearch well, but I think we can create a query if you provide us with the conditions. ... View more