https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581343#M10294 <P>CID still empty</P> Mon, 17 Jan 2022 15:13:16 GMT sarit_s 2022-01-17T15:13:16Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581339#M10290 <P>Hello</P><P>I have a field that does not return results when searching for specific string.&nbsp;</P><P>i need to combine two searches so i will be able to return this field + other results from the search with the specific string</P><P>this is my query :</P><P>&nbsp;</P><LI-CODE lang="markup">sourcetype=clientlogs OR sourcetype="client-logs-api" Categories="Login" | stats count(eval( Message="Unable to load " OR Message="Unable to load from SDK")) as Faliure, values(Message) as Message values(IPAddress) as IPAddress, values(Url) as url by Country SessionGuid | appendpipe [ stats sum(Faliure) as Faliure | fillnull value=0 Faliure | eval Country="TOTAL" ] | appendpipe [ stats count(SessionGuid) as FailedSessions | eval Country="TOTAL",Faliure="Faliure"] ] | table SessionGuid IPAddress Country Faliure Message FailedSessions url | sort - Faliure</LI-CODE><P>&nbsp;</P><P>i need to add the field CID which return no results when searching for the message at the beginning of the query&nbsp;</P><P>how can i join them together so i will see in the table also the values of CID ?</P> Mon, 17 Jan 2022 14:35:21 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581339#M10290 sarit_s 2022-01-17T14:35:21Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581340#M10291 <P>I am not sure I understand the requirement - do you want a list of CID where Categories != "Login" or a list of CID where message = "Unable to load " OR message = "Unable to load from SDK" or a list of CID where message != "Unable to load " AND message != "Unable to load from SDK" or something else?</P> Mon, 17 Jan 2022 15:01:09 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581340#M10291 ITWhisperer 2022-01-17T15:01:09Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581341#M10292 <P>I want list of CID's when&nbsp;</P><LI-CODE lang="markup">sourcetype=clientlogs OR sourcetype="client-logs-api"</LI-CODE><P>and add it to the table</P> Mon, 17 Jan 2022 15:02:38 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581341#M10292 sarit_s 2022-01-17T15:02:38Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581342#M10293 <LI-CODE lang="markup">| append [search sourcetype=clientlogs OR sourcetype="client-logs-api" | stats values(CID) as CID]</LI-CODE> Mon, 17 Jan 2022 15:09:10 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581342#M10293 ITWhisperer 2022-01-17T15:09:10Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581343#M10294 <P>CID still empty</P> Mon, 17 Jan 2022 15:13:16 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581343#M10294 sarit_s 2022-01-17T15:13:16Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581353#M10295 <P>So CID doesn't exist in these sourcetypes?</P><P>If it does, how would you list them?</P> Mon, 17 Jan 2022 16:26:16 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581353#M10295 ITWhisperer 2022-01-17T16:26:16Z https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581355#M10296 <P>It does.&nbsp;<BR />if im searching only for those sourcetyps i can find CID</P><P>but when i append this search with the rest it returns empty</P> Mon, 17 Jan 2022 16:30:05 GMT https://community.splunk.com/t5/Splunk-Dev/subsearch-join/m-p/581355#M10296 sarit_s 2022-01-17T16:30:05Z