https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527743#M148989 <P>Run the subsearch by itself with "| format" appended to it.&nbsp; You should get something that looks like</P><P>&nbsp;</P><LI-CODE lang="markup">(host="foo" OR host="bar" OR host="baz")</LI-CODE><P>&nbsp;</P><P>Add that to the main search to get</P><P>&nbsp;</P><LI-CODE lang="markup">| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host in (host="foo" OR host="bar" OR host="baz")</LI-CODE><P>&nbsp;</P><P>and you should see the problem.&nbsp; The string returned by the subsearch makes no sense in the context of the main search.&nbsp; The solution is to modify one or both searches so the result is good SPL.</P><P>&nbsp;</P><LI-CODE lang="markup">| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND [search stuff stuff stuff | rename host as host_changed | return host_changed] by host span=1m | timechart span=1m avg(load.longterm) AS Longterm by host</LI-CODE><P>&nbsp;</P> Tue, 03 Nov 2020 14:46:43 GMT richgalloway 2020-11-03T14:46:43Z https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527622#M148952 <P>Hi all!</P><P>I have this query which gets me the list of hosts</P><P>stuff stuff stuff | rename host as host_changed | dedup host_changed | table host_changed</P><P>it works beautifully. &nbsp;</P><P>Now I have this other query</P><P>| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host=lalalala by host span=1m | timechart span=1m avg(load.longterm) AS Longterm by host</P><P>which also works perfectly</P><P>Now, what I want to do, it effectively combine the two, but I cannot seem to get the syntax right</P><P>| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host in [search&nbsp;stuff stuff stuff | rename host as host_changed | dedup host_changed | table host_changed] by host span=1m | timechart span=1m avg(load.longterm) AS Longterm by host</P><P>Thoughts? &nbsp;Thanks!</P><P>&nbsp;</P> Tue, 03 Nov 2020 01:47:00 GMT https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527622#M148952 matthewwhittle 2020-11-03T01:47:00Z https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527743#M148989 <P>Run the subsearch by itself with "| format" appended to it.&nbsp; You should get something that looks like</P><P>&nbsp;</P><LI-CODE lang="markup">(host="foo" OR host="bar" OR host="baz")</LI-CODE><P>&nbsp;</P><P>Add that to the main search to get</P><P>&nbsp;</P><LI-CODE lang="markup">| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host in (host="foo" OR host="bar" OR host="baz")</LI-CODE><P>&nbsp;</P><P>and you should see the problem.&nbsp; The string returned by the subsearch makes no sense in the context of the main search.&nbsp; The solution is to modify one or both searches so the result is good SPL.</P><P>&nbsp;</P><LI-CODE lang="markup">| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND [search stuff stuff stuff | rename host as host_changed | return host_changed] by host span=1m | timechart span=1m avg(load.longterm) AS Longterm by host</LI-CODE><P>&nbsp;</P> Tue, 03 Nov 2020 14:46:43 GMT https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527743#M148989 richgalloway 2020-11-03T14:46:43Z https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527976#M149045 <P>Hi richgalloway,</P><P>Your response is very appreciated. &nbsp;When I tried your suggestion below, I got the error</P><P>"<SPAN>Term based search is not supported"</SPAN></P> Wed, 04 Nov 2020 17:42:19 GMT https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527976#M149045 matthewwhittle 2020-11-04T17:42:19Z https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527978#M149047 <P>Ah, but a theme off that variation works, taking the approach of modifying the mstats query</P><P>| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND</P><P><SPAN>&nbsp; </SPAN>[search stuff stuff stuff</P><P><SPAN>&nbsp; </SPAN>| format] by host span=1m</P><P>| timechart span=1m avg(load.longterm) AS Longterm by host</P> Wed, 04 Nov 2020 17:48:06 GMT https://community.splunk.com/t5/Splunk-Search/mstats-with-host-subquery/m-p/527978#M149047 matthewwhittle 2020-11-04T17:48:06Z