https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431320#M123296 <P>Hello,</P> <P>In order to detect unused workstations in our computer park, we are searching for all assets not connected to Active Directory (AD) AND to Ghost Solution Suite (GSS) since &gt;90 days.</P> <P>We can easily perform two searches independently, which are basically the same. First one:</P> <PRE><CODE>sourcetype=my_ad_sourcetype | eval it = strptime(ad_last_inventory,"%Y-%m-%d") | eval ot = strptime(nowstring,"%Y-%m-%d") | eval diff = (ot - it) | eval round = round(diff/86400, 0) | search round &gt; 90 | table ad_wks_name, ad_last_inventory </CODE></PRE> <P>And the second one:</P> <PRE><CODE>sourcetype=my_gss_sourcetype | eval it = strptime(gss_last_inventory,"%Y-%m-%d") | eval ot = strptime(nowstring,"%Y-%m-%d") | eval diff = (ot - it) | eval round = round(diff/86400, 0) | search round &gt; 90 | table gss_wks_name, gss_last_inventory </CODE></PRE> <P>What we can’t do is to combine those two searches. We tried to execute one of two queries as a subsearch and perform a simple comparison at the end like: </P> <PRE><CODE>| where gss_wks_name=ad_wks_name </CODE></PRE> <P>Every time we face an issue, the main search is executed correctly, but the subsearch doesn’t give out the correct result. Instead it repeats the <CODE>_wks_name</CODE> and the <CODE>_last_inventory</CODE> date for the last workstation.</P> <PRE><CODE>wks_123 | 2018-10-20 23:12:00.0 wks_123 | 2018-10-20 23:12:00.0 wks_123 | 2018-10-20 23:12:00.0 etc. </CODE></PRE> <P>Do you have an idea what we're doing wrong?</P> <P>Thanks for the help!</P> <P>Alex.</P> Tue, 29 Jan 2019 12:28:52 GMT AlexeySh 2019-01-29T12:28:52Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431320#M123296 <P>Hello,</P> <P>In order to detect unused workstations in our computer park, we are searching for all assets not connected to Active Directory (AD) AND to Ghost Solution Suite (GSS) since &gt;90 days.</P> <P>We can easily perform two searches independently, which are basically the same. First one:</P> <PRE><CODE>sourcetype=my_ad_sourcetype | eval it = strptime(ad_last_inventory,"%Y-%m-%d") | eval ot = strptime(nowstring,"%Y-%m-%d") | eval diff = (ot - it) | eval round = round(diff/86400, 0) | search round &gt; 90 | table ad_wks_name, ad_last_inventory </CODE></PRE> <P>And the second one:</P> <PRE><CODE>sourcetype=my_gss_sourcetype | eval it = strptime(gss_last_inventory,"%Y-%m-%d") | eval ot = strptime(nowstring,"%Y-%m-%d") | eval diff = (ot - it) | eval round = round(diff/86400, 0) | search round &gt; 90 | table gss_wks_name, gss_last_inventory </CODE></PRE> <P>What we can’t do is to combine those two searches. We tried to execute one of two queries as a subsearch and perform a simple comparison at the end like: </P> <PRE><CODE>| where gss_wks_name=ad_wks_name </CODE></PRE> <P>Every time we face an issue, the main search is executed correctly, but the subsearch doesn’t give out the correct result. Instead it repeats the <CODE>_wks_name</CODE> and the <CODE>_last_inventory</CODE> date for the last workstation.</P> <PRE><CODE>wks_123 | 2018-10-20 23:12:00.0 wks_123 | 2018-10-20 23:12:00.0 wks_123 | 2018-10-20 23:12:00.0 etc. </CODE></PRE> <P>Do you have an idea what we're doing wrong?</P> <P>Thanks for the help!</P> <P>Alex.</P> Tue, 29 Jan 2019 12:28:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431320#M123296 AlexeySh 2019-01-29T12:28:52Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431321#M123297 <P>@AlexeySh ,</P> <P>Assuming that you have only one record per workstation, i.e. last_inventory is the latest value of that machine</P> <P>Try this and lets know if there are some changes,</P> <PRE><CODE> sourcetype=my_ad_sourcetype OR sourcetype=my_gss_sourcetype |eval itAd=strptime(ad_last_inventory,"%Y-%m-%d"), itGss=strptime(gss_last_inventory,"%Y-%m-%d") |eval ot=strptime(nowstring,"%Y-%m-%d") |eval diffAd=round((ot-itAd)/86400,0) , diffGss=round((ot-itGss)/86400,0) |eval wks_name=coalesce(ad_wks_name,gss_wks_name) |table wks_name,diffAd,diffGss |fillnull value=0 |stats max(diffAd) as diffAd,max(diffGss) as diffGss by wks_name |where diffAd&gt;90 AND diffGss&gt;90 </CODE></PRE> Tue, 29 Jan 2019 14:56:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431321#M123297 renjith_nair 2019-01-29T14:56:30Z https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431322#M123298 <P>Gorgeous !</P> <P>That's exectly what we were searching for.</P> <P>Thanks for the help! </P> Tue, 29 Jan 2019 15:59:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-use-a-subsearch-with-a-table-command/m-p/431322#M123298 AlexeySh 2019-01-29T15:59:03Z