https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510564#M142896 <P>Thank you for your reply. May I know why this is limited to 10,000.</P> Thu, 23 Jul 2020 03:26:27 GMT kiru2992 2020-07-23T03:26:27Z https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510361#M142839 <P>Hello Everyone!</P><P>I have a scenario to extract a particular set id's from index1 in search1 and run a search2 on index2 based on the extracted ids.</P><P><STRONG>Example</STRONG> :</P><P><FONT color="#3366FF"><STRONG>Search1:</STRONG></FONT></P><P>index="index1" sourcetype="st1" field1="abc"</P><P>|rename id as <FONT color="#FF0000">ticket_id</FONT></P><P><FONT color="#3366FF">Search2:</FONT></P><P>index="index2" source="xyz"</P><P>| sort 0 <FONT color="#FF0000">ticket_id</FONT></P><P>|.........</P><P>What's the best way to go about it? I tried using map but I've had no luck at all. Not sure if it's because I'm using it wrong or if it's not appropriate for the situation. Including both indexes at the start of the search is not feasible given the absurd size of the second index.</P><P>Can anyone please help me here?</P><P>Thank you in advance.</P><P>&nbsp;</P> Wed, 22 Jul 2020 07:34:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510361#M142839 kiru2992 2020-07-22T07:34:08Z https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510438#M142861 <P>If the number of results from search 1 is fewer than 10,000 then you can use a subsearch.</P><LI-CODE lang="markup">index="index2" source="xyz" [ index="index1" sourcetype="st1" field1="abc" |rename id as ticket_id | fields ticket_id | format ] | sort 0 ticket_id |.........</LI-CODE> Wed, 22 Jul 2020 13:22:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510438#M142861 richgalloway 2020-07-22T13:22:22Z https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510564#M142896 <P>Thank you for your reply. May I know why this is limited to 10,000.</P> Thu, 23 Jul 2020 03:26:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510564#M142896 kiru2992 2020-07-23T03:26:27Z https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510641#M142948 It is a limit imposed by Splunk for reasons known only to them. See <A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Aboutsubsearches#Output_settings_for_subsearch_commands?:~:text=By%20default,results" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Aboutsubsearches#Output_settings_for_subsearch_commands?:~:text=By%20default,results</A> Thu, 23 Jul 2020 12:37:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-a-calculated-multivalued-field-from-a-search-as-an/m-p/510641#M142948 richgalloway 2020-07-23T12:37:07Z