Hi and thanks a lot for your help ! My goal : Finding processes that made suspicious DNS requests around user Logon It seems that nested sub searches could make the job so here is my request :     event_simpleName=Process [search event_simpleName=DNSrequest [ search ComputerName IN ("Computer*") event_simpleName=UserLogon NOT UserName IN ("SYSTEM","*$","LOCAL SERVICE","DWM-*", "SERVICE LOCAL") | dedup ComputerName, UserName | rename _time AS earliest | eval latest=earliest+120 | fields earliest, latest, ComputerName ] | where match(DomainName,"(?i)(^.*\.(surf|cam|date|eu)$)") | where NOT match(DomainName,".*(amaz)") | rename CProcessId as TProcessId | fields ComputerName, TProcessId ]       What I try to do / what I understand : Subsearch_1 : - try to find user logon and use dedup to reduce the number of events. - using "fields", I pass to "Subsearch_2", three "parameters" : earliest, latest, ComputerName.  Field "ComputerName" exists in "DNSrequest" data. Subsearch 2 : - Using filters "earliest, latest, ComputerName", I search DNS requests made around the user logon time (Logon time + 2 mins) - fields "ComputerName, ProcessId" are passed to "Main search". These two fields exist in "Process" data Main search : - try to find processes based on "ComputerName" and "TProcessId" - Time range selected in UI is used by this search and Subsearch_1. Subsearch_2 uses "earliest" and "latest". The complete request does not return any result, but I have results if I decompose the request. The issue concerns probably the data / parameters process by "Main search"...but I can't find out more. ... View more