https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388421#M113255 <P>Thanks, that was the trick. I had to use same field name for IP address in both queries. <BR /> My final query which is working now:</P> <P>index=index1 sourcetype=sourcetype1 [search <BR /> index=index2 sourcetype=sourcetype2 category=category2 | table src | rename src as IP_address]</P> Wed, 09 Jan 2019 01:45:25 GMT utk123 2019-01-09T01:45:25Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388418#M113252 <P>I am trying the below subsearch, but it's not giving any results. "No results found. Try expanding the time range. "</P> <P>I want to get the IP address from search2, and then use it in search1. </P> <P>Search1 (outer search): giving results</P> <PRE><CODE>index=index1 sourcetype=sourcetype1 IP_address </CODE></PRE> <P>Search2 (inner search): giving results</P> <PRE><CODE>index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src| table src </CODE></PRE> <P>subsearch: not giving results</P> <PRE><CODE>index=index1 sourcetype=sourcetype1 [search index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src| table src] </CODE></PRE> <P>Am I missing anything here ?</P> Tue, 08 Jan 2019 09:20:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388418#M113252 utk123 2019-01-08T09:20:08Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388419#M113253 <P>@utk123 , To get result of above subsearch, <CODE>src</CODE> field result need to be present in Search 1. If this criteria is fulfilled, then query will work. n events will be return by search.</P> <P>Please refer below queries - <BR /> Below query will return the result- </P> <PRE><CODE>index=_internal group=pipeline [search index=_internal component=Metrics | top limit=1 name | table name] </CODE></PRE> <P>Below Query might not return a result </P> <PRE><CODE>index=_internal group=executor [search index=_internal component=Metrics | top limit=1 name | table name] </CODE></PRE> <P><STRONG>PS:</STRONG> Above queries are heavy query.</P> Tue, 08 Jan 2019 13:00:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388419#M113253 askkawalkar 2019-01-08T13:00:59Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388420#M113254 <P>@utk123 try the following search. <CODE>rename src as IP_address</CODE> is required as <CODE>index1</CODE> has field <CODE>IP_address</CODE>:</P> <PRE><CODE>index=index1 sourcetype=sourcetype1 [ search index=index2 sourcetype=sourcetype2 category=category2 | top limit=1 src showcount=f showperc=f | rename src as IP_address] </CODE></PRE> Tue, 08 Jan 2019 14:34:48 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388420#M113254 niketn 2019-01-08T14:34:48Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388421#M113255 <P>Thanks, that was the trick. I had to use same field name for IP address in both queries. <BR /> My final query which is working now:</P> <P>index=index1 sourcetype=sourcetype1 [search <BR /> index=index2 sourcetype=sourcetype2 category=category2 | table src | rename src as IP_address]</P> Wed, 09 Jan 2019 01:45:25 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-subsearch-not-working/m-p/388421#M113255 utk123 2019-01-09T01:45:25Z