Hi,  I have a main search that generates counts of events table by date, UID and host something like for example: date UID host count 20201014 abc01 host1 25 20201015 abc01 host2 16 20201016 xyz01 host1 1   Then I generate additional fields from a sub-search by joining on those dates and UIDs.  The problem is, I need to dynamically perform the sub-search for earliest=-30d and latest=-3d based on the values of dates in each row from the main search. That is, the sub-search for the second row where dat=20201015 should only extract results from 30 days prior to 2020-10-15  (i.e. earliest=2020-09-15) upto 3days prior to 20201015 (i.e. latest=2020-10-12). Similarly, the sub-search for the third row should only extract results from 30 days prior to 2020-10-16 (i.e. earliest=2020-09-16) up to 3days prior to 2020-10-16 (i.e. latest=20201013).  How do I do that?  So far, I have done:    <main search> | eval date=strftime(_time, "%Y%m%d") ... | join type=inner date, uid, host [search index=subsearch_idx [| gentimes start=-30 end=-3 increment=1d | addinfo | eval earliest=info_min_time | eval latest=info_max_time | return earliest latest] continue_subsearch...] | continue_main_search       It doesn't seem to work however. How can I populate the dates for the sub-search dynamically based on the values of the date in the main search? Thank you for your time and help.   ... View more