https://community.splunk.com/t5/Splunk-Search/Filter-search-by-subsearch-values/m-p/535747#M151424 <P>There's no much to work with in the question, but perhaps this gives you an idea.</P><LI-CODE lang="markup">&lt;events to filter against subsearch ids&gt; [search subsearch | return 1000 subsearch_id]</LI-CODE><P>The subsearch with <FONT face="courier new,courier">return</FONT> command returns a string of the type "<FONT face="courier new,courier">(subsearch_id="foo" OR subsearch_id="bar")</FONT>" which filters the events from the base search.</P> Thu, 14 Jan 2021 01:46:37 GMT richgalloway 2021-01-14T01:46:37Z https://community.splunk.com/t5/Splunk-Search/Filter-search-by-subsearch-values/m-p/535692#M151406 <P>Hi,<BR /><BR />What's the best way to filter a search against a set of unique id's in a subsearch?</P><P><BR />Currently, approaching it as such:<BR /><BR />&lt;events to filter against subsearch ids&gt;<BR />| join left subsearch_id&nbsp;<BR />| [search subsearch]<BR /><BR />Though, it's returning a 1:1 set v. all primary search events that contain a matching id.</P> Wed, 13 Jan 2021 18:09:55 GMT https://community.splunk.com/t5/Splunk-Search/Filter-search-by-subsearch-values/m-p/535692#M151406 ahcarpenter 2021-01-13T18:09:55Z https://community.splunk.com/t5/Splunk-Search/Filter-search-by-subsearch-values/m-p/535747#M151424 <P>There's no much to work with in the question, but perhaps this gives you an idea.</P><LI-CODE lang="markup">&lt;events to filter against subsearch ids&gt; [search subsearch | return 1000 subsearch_id]</LI-CODE><P>The subsearch with <FONT face="courier new,courier">return</FONT> command returns a string of the type "<FONT face="courier new,courier">(subsearch_id="foo" OR subsearch_id="bar")</FONT>" which filters the events from the base search.</P> Thu, 14 Jan 2021 01:46:37 GMT https://community.splunk.com/t5/Splunk-Search/Filter-search-by-subsearch-values/m-p/535747#M151424 richgalloway 2021-01-14T01:46:37Z