https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9532#M158 <P>Is it possible with subsearch to pass a list of search results to the outside search? similar to a SQL correlated subquery?</P> <P>Background: I have an event that lists an ID and a ReferenceID. The ReferenceID will be a previous ID. Often however, there has been several days, if not weeks between the original ID and the ReferenceID. This makes a Transaction search ineffective for this query.</P> <P>What I'd like to do, is to obtain a list of ReferenceIDs that match some criteria (quick) and then pass each of those into an outer search, so the outer search runs for each of the results returned from the inner search (not the combined results of the inner search). Is this possible?</P> Sat, 30 Jan 2010 03:58:16 GMT Yancy 2010-01-30T03:58:16Z https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9532#M158 <P>Is it possible with subsearch to pass a list of search results to the outside search? similar to a SQL correlated subquery?</P> <P>Background: I have an event that lists an ID and a ReferenceID. The ReferenceID will be a previous ID. Often however, there has been several days, if not weeks between the original ID and the ReferenceID. This makes a Transaction search ineffective for this query.</P> <P>What I'd like to do, is to obtain a list of ReferenceIDs that match some criteria (quick) and then pass each of those into an outer search, so the outer search runs for each of the results returned from the inner search (not the combined results of the inner search). Is this possible?</P> Sat, 30 Jan 2010 03:58:16 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9532#M158 Yancy 2010-01-30T03:58:16Z https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9533#M159 <P>Hi Yancy,</P> <P>This is possible. Something to note about subsearches is the format of what is passed from the inner search to the outer search is important. If you are looking to pass a list of ReferenceIDs, then use the <CODE>fields</CODE> command at the end of your inner search. Otherwise, Splunk will by default pass the events themselves to the outer search.</P> <P>In pseudo search, your use case will look something like this:</P> <PRE><CODE>... &lt;my outer search&gt; [search ReferenceID=abc | fields + ReferenceID] </CODE></PRE> <P>If you post some sample data, we can help you construct the specific query.</P> Sat, 30 Jan 2010 05:15:29 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9533#M159 hulahoop 2010-01-30T05:15:29Z https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9534#M160 <P>It is possible to run an outer search the way you want with the <CODE>map</CODE> command, one time over each inner search result. However, this is extremely inefficient in Splunk, and it is likely that there is a much better way to do it using a subsearch as described by hulahoop. The difference is that you'll have to execute <EM>n</EM>+1 searches (where N is the number of inner search results) instead of 2 searches. To a first approximation, this will take (<EM>n</EM>+1)/2 times as long.</P> Mon, 01 Feb 2010 16:14:49 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9534#M160 gkanapathy 2010-02-01T16:14:49Z https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9535#M161 <P><A href="http://www.innovato.com/splunk/SQLSplunk.html" rel="nofollow">Splunk For SQL Users</A> is also a good resource for this type of question.</P> Wed, 14 Apr 2010 02:43:11 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-like-correlated-subquery-in-SQL/m-p/9535#M161 Yancy 2010-04-14T02:43:11Z