https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380146#M111287 <P>I'm seeking assistance with writing the 2 queries</P> Thu, 08 Nov 2018 21:38:25 GMT princeali 2018-11-08T21:38:25Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380144#M111285 <P>Query One: One that is exclusive of Server4 in Index1 based of the hosts in Index2. I.e. based on the Index2 hosts, I run a query on Index1 and only show the same hosts, Server1–Server3.</P> <P>Query Two: This one is exclusive of any hosts that are in Index2 when we run a search in Index1. I.e. based on the Index2 hosts I run a query on Index1 and it only shows the host Server4.</P> <P>P.S. - This is an enterprise class system and the hostnames columns are a moving target and also the hostnames are different fieldnames</P> <P>Index1<BR /> -Server1<BR /> -Server2<BR /> -Server3<BR /> -Server4</P> <P>Index2<BR /> -Server1<BR /> -Server2<BR /> -Server3</P> Thu, 08 Nov 2018 13:56:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380144#M111285 princeali 2018-11-08T13:56:50Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380145#M111286 <P>could you share the two queries? </P> Thu, 08 Nov 2018 20:09:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380145#M111286 kmaron 2018-11-08T20:09:39Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380146#M111287 <P>I'm seeking assistance with writing the 2 queries</P> Thu, 08 Nov 2018 21:38:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380146#M111287 princeali 2018-11-08T21:38:25Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380147#M111288 <P>Hi princeali,<BR /> let me know:</P> <UL> <LI>do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?</LI> <LI>do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?</LI> </UL> <P>In first case it's easy:</P> <PRE><CODE>(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3) </CODE></PRE> <P>In the second case:</P> <PRE><CODE>(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host]) </CODE></PRE> <P>You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.</P> <P>In addition, remember that there's a limit of 50,000 to subsearch results.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 09 Nov 2018 08:30:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380147#M111288 gcusello 2018-11-09T08:30:27Z https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380148#M111289 <P>hi @princeali </P> <P>Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!</P> Mon, 12 Nov 2018 20:32:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-create-a-subsearch-for-two-correlated-queries/m-p/380148#M111289 mstjohn_splunk 2018-11-12T20:32:15Z