https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459590#M30151 <P>What's your full search?</P> Thu, 22 Aug 2019 20:27:49 GMT somesoni2 2019-08-22T20:27:49Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459586#M30147 <P>Hello,<BR /> I have a main search, with an append command. <BR /> Some events contain just the <STRONG>user</STRONG>; others just the <STRONG>addr</STRONG>; and still others both the <STRONG>user</STRONG> and the <STRONG>addr</STRONG>. The issue is I only know <STRONG>user</STRONG>. However, to find events which contain just the <STRONG>addr</STRONG> I need to search the log for events where the <STRONG>user!=""</STRONG> and where <STRONG>addr!=""</STRONG>. Then I can run a new search on log with <STRONG>$addr=addr</STRONG>. I will use dedup at the end.</P> <PRE><CODE>|append [ search index ="events" AND source="log" AND (user="$userId_tok$" OR [ search index ="events" AND source="/log" AND user="$userId_tok$" | head limit=1 | eval addr="\"".addr."\"" | return $addr ] </CODE></PRE> <P>Can OR work with subsearches?</P> <P>I hope that makes sense.</P> <P>Thanks and God bless,<BR /> Genesius</P> Thu, 22 Aug 2019 18:53:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459586#M30147 genesiusj 2019-08-22T18:53:32Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459587#M30148 <P>It should work with OR (your just need to ensure that proper brackets are placed so that your logic is correct. Your second subsearch is just returning the value (because of dollar sign), so your search becomes this</P> <PRE><CODE>search index ="events" AND source="log" AND (user="$userId_tok$" OR ("address_value_returned_from_subsearch") </CODE></PRE> <P>That is intentional right?</P> Thu, 22 Aug 2019 19:03:57 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459587#M30148 somesoni2 2019-08-22T19:03:57Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459588#M30149 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a> <BR /> Yes. Don't forget the trailing ).</P> <P>AND <STRONG>(</STRONG>user="$userId_tok$"<BR /> OR ("address_value_returned_from_subsearch")<STRONG>)</STRONG></P> <P>Thanks and God bless,<BR /> Genesius</P> Wed, 30 Sep 2020 01:52:26 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459588#M30149 genesiusj 2020-09-30T01:52:26Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459589#M30150 <P>@somesoni2 <BR /> Also, here is the error message.</P> <P>Error in 'SearchParser': Subsearches are only valid as arguments to commands. </P> <P>Thanks and God bless,<BR /> Genesius</P> Thu, 22 Aug 2019 19:55:53 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459589#M30150 genesiusj 2019-08-22T19:55:53Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459590#M30151 <P>What's your full search?</P> Thu, 22 Aug 2019 20:27:49 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459590#M30151 somesoni2 2019-08-22T20:27:49Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459591#M30152 <P>The way that subsearches work by default is that the fields within a row are combined with <CODE>AND</CODE> and then rows are combined with <CODE>OR</CODE>. You can see what is done by running your subsearch and then adding <CODE>| format</CODE> to the end and it will show you the SPL that it will generate. Additionally, the <CODE>format</CODE> command allows you to change the <CODE>AND</CODE> to <CODE>OR</CODE> or the <CODE>OR</CODE> to <CODE>AND</CODE> if you like, by passing the appropriate arguments. Check it out:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults">https://docs.splunk.com/Documentation/Splunk/latest/Search/Changetheformatofsubsearchresults</A></P> Tue, 17 Sep 2019 21:36:48 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459591#M30152 woodcock 2019-09-17T21:36:48Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459592#M30153 <P>@woodcock ,<BR /> I want to thank you for your reply. I will check into later this afternoon. I'm prepping for a meeting.<BR /> Thanks and God bless,<BR /> Genesius</P> Wed, 18 Sep 2019 13:24:05 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459592#M30153 genesiusj 2019-09-18T13:24:05Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459593#M30154 <P>@somesoni2 <BR /> As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.<BR /> I am getting back to old forum posts to thanks people and close.<BR /> Apologies for the delay.<BR /> Thanks and God bless,<BR /> Genesius</P> Thu, 26 Sep 2019 13:49:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459593#M30154 genesiusj 2019-09-26T13:49:41Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459594#M30155 <P>@woodcock <BR /> As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.<BR /> I am getting back to old forum posts to thanks people and close.<BR /> Using | format and the supplied link have been a great education.</P> <P>Apologies for the delay.<BR /> Thanks and God bless,<BR /> Genesius</P> Thu, 26 Sep 2019 13:50:59 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459594#M30155 genesiusj 2019-09-26T13:50:59Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459595#M30156 <P>Be sure to come back and click <CODE>Accept</CODE> to close the question and <CODE>UpVote</CODE> and useful answers or comments.</P> Thu, 26 Sep 2019 14:48:16 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459595#M30156 woodcock 2019-09-26T14:48:16Z https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459596#M30157 <P>@woodcock <BR /> Got it. Done.<BR /> I saw the Accept button over my response and thought I would be accepting mine and not yours. Thanks and God bless,<BR /> Genesius</P> Thu, 26 Sep 2019 15:33:03 GMT https://community.splunk.com/t5/Dashboards-Visualizations/The-Results-from-a-Subsearch-Need-to-be-Used-as-an-OR-in-the/m-p/459596#M30157 genesiusj 2019-09-26T15:33:03Z