https://community.splunk.com/t5/Splunk-Search/Passing-a-field-value-from-one-search-command-in-the-pipeline-to/m-p/507135#M141828 <P>I have a search which produces a list of fields in an output table, including a user ID. I want to take the at ID, search another index,&nbsp;and add additional output columns to the table. Functionally it behaves like this:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval requesting_user="david" | appendcols [search index=admon sAMAccountName=$requesting_user$ earliest=0 latest=now | stats last(mail) as mail, last(givenName) as givenName, last(cn) as cn]</LI-CODE><P>&nbsp;</P><P>In the end, I want a single row with the requesting_user, mail, givenName and cn fields. But I'm not quite sure how to join these two searches together into a single row of output. I've experimented with appendcols, appendpipe, append, and map. Only map seems to be able to read the requesting_user token, but seems to throw away the requesting_user field.</P><P>The rest of the commands I've tried don't seem to be able to read the token or something else is going on, because I only get null values for those fields. When I execute the appendcols command substituting the token for the actual user name, it retrieves the values I want.&nbsp;</P><P>Can anyone help me understand how include the fields from the bottom search into the output table of the top search?</P> Thu, 02 Jul 2020 19:13:40 GMT _smp_ 2020-07-02T19:13:40Z https://community.splunk.com/t5/Splunk-Search/Passing-a-field-value-from-one-search-command-in-the-pipeline-to/m-p/507135#M141828 <P>I have a search which produces a list of fields in an output table, including a user ID. I want to take the at ID, search another index,&nbsp;and add additional output columns to the table. Functionally it behaves like this:</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval requesting_user="david" | appendcols [search index=admon sAMAccountName=$requesting_user$ earliest=0 latest=now | stats last(mail) as mail, last(givenName) as givenName, last(cn) as cn]</LI-CODE><P>&nbsp;</P><P>In the end, I want a single row with the requesting_user, mail, givenName and cn fields. But I'm not quite sure how to join these two searches together into a single row of output. I've experimented with appendcols, appendpipe, append, and map. Only map seems to be able to read the requesting_user token, but seems to throw away the requesting_user field.</P><P>The rest of the commands I've tried don't seem to be able to read the token or something else is going on, because I only get null values for those fields. When I execute the appendcols command substituting the token for the actual user name, it retrieves the values I want.&nbsp;</P><P>Can anyone help me understand how include the fields from the bottom search into the output table of the top search?</P> Thu, 02 Jul 2020 19:13:40 GMT https://community.splunk.com/t5/Splunk-Search/Passing-a-field-value-from-one-search-command-in-the-pipeline-to/m-p/507135#M141828 _smp_ 2020-07-02T19:13:40Z https://community.splunk.com/t5/Splunk-Search/Passing-a-field-value-from-one-search-command-in-the-pipeline-to/m-p/507151#M141832 <P>With the exception of <FONT face="courier new,courier">map</FONT>, the commands you tried (as well as <FONT face="courier new,courier">join</FONT> and <FONT face="courier new,courier">multisearch</FONT>) execute the subquery independent of the main search.&nbsp; The subquery has no awareness of the fields in the main search and there is no way to pass arguments to the subquery.</P><P>Subsearches are similar, but they run first and make their results available to the main search.&nbsp; So, your problem may be solved by swapping the order of operations.</P><LI-CODE lang="markup">index=admon [ | makeresults | eval requesting_user="david" ] sAMAccountName=requesting_user earliest=0 latest=now | stats last(mail) as mail, last(givenName) as givenName, last(cn) as cn</LI-CODE> Thu, 02 Jul 2020 21:03:47 GMT https://community.splunk.com/t5/Splunk-Search/Passing-a-field-value-from-one-search-command-in-the-pipeline-to/m-p/507151#M141832 richgalloway 2020-07-02T21:03:47Z