https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548300#M155523 <P>The key thing to know here is subsearches execute <STRONG>before</STRONG> the main search runs.&nbsp; Search for the first party in the subsearch and the second party in the main search and it should work.</P> Fri, 16 Apr 2021 21:00:38 GMT richgalloway 2021-04-16T21:00:38Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548294#M155522 <P>I have a problem I'm trying to solve in a subsearch query.</P><P>The problem I'm trying to solve, is to monitor when two separate parties generate an event to measure the time in between, with a common <STRONG>assignmentId</STRONG>. The main search is the first party, the subsearch pulls the second party if it exists.</P><P>This search *almost* gets me there:</P><LI-CODE lang="markup">index=my_index sourceServiceId=MyService ruleId=dbdc2f48-1b2c-4869-92ea-10a12f03e3ce | sort -_time | dedup assignmentId | join type=left assignmentId [ search index=my_index sourceServiceId=MyService ruleId=1caf58a6-d4b9-4a1a-a0d7-43b590a374f5 | dedup assignmentId | sort -_time ]</LI-CODE><P>&nbsp;</P><P>However, the above search is not exactly right, as it pulls the "last event from second party". What I need is the "first event from the second party, AFTER the first party's event".</P><P>So, basically I want the subsearch to be ordered in ASC time order, limiting results to those that are AFTER the found record in the main search.</P><P>I have tried changing the query to variations of the following search, but it does not return any data at all from the subsearch. Is it not valid to use a where clause like this in a subsearch? If not, is there another strategy I can use for this?</P><LI-CODE lang="markup">index=my_index sourceServiceId=MyService ruleId=dbdc2f48-1b2c-4869-92ea-10a12f03e3ce | sort -_time | dedup assignmentId | join type=left left=mainResults right=subResults assignmentId [ search index=my_index sourceServiceId=MyService ruleId=1caf58a6-d4b9-4a1a-a0d7-43b590a374f5 | sort 1 +_time | where subResults._time &gt; mainResults._time ]</LI-CODE><P>&nbsp;</P> Fri, 16 Apr 2021 19:58:22 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548294#M155522 kfancy 2021-04-16T19:58:22Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548300#M155523 <P>The key thing to know here is subsearches execute <STRONG>before</STRONG> the main search runs.&nbsp; Search for the first party in the subsearch and the second party in the main search and it should work.</P> Fri, 16 Apr 2021 21:00:38 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548300#M155523 richgalloway 2021-04-16T21:00:38Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548622#M155639 <P>Unfortunately I can't do that, as sometimes the end event doesn't exist yet (async user behaviours...), which results in not finding the starting event, which is required.</P><P>Is there another possible approach to use?</P> Tue, 20 Apr 2021 15:43:29 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Join-with-a-where-clause-lt-comparison-to-field-from/m-p/548622#M155639 kfancy 2021-04-20T15:43:29Z