https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574273#M200128 <P>Thank you, JC.&nbsp; I very much appreciate the assist, unfortunately that didn't help.&nbsp; Returns no results again.</P><P>The regex actually provides me with the GUID.&nbsp; It's a much longer string in the logs.&nbsp; And the first query with the GUID hardcoded gives me the final results I'm looking for.</P><P>Thanks again!&nbsp; Cheers,</P><P>Brian</P> Tue, 09 Nov 2021 18:45:24 GMT gillockb 2021-11-09T18:45:24Z https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574213#M200112 <P>Hello Splunksters,</P><P>I'm new to Splunk and am constructing my first subsearch.&nbsp; I've read the <A title="Use a subsearch" href="https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchTutorial/Useasubsearch" target="_blank" rel="noopener">documentation on subsearches</A>, but am apparently missing something fundamental.&nbsp; I have a log file that captures and records events based on a GUID.&nbsp; Obviously GUIDs aren't something one goes searching for directly.&nbsp; The primary search is by phone number.&nbsp; So, I need to accept a phone number, retrieve the associated GUID and then return all the results tied to that GUID.&nbsp; I have the search retrieving the GUID working, and want to use that as the subsearch.</P><P>Ultimate search I wish to run:</P><LI-CODE lang="markup">index="myIndex" sourcetype="mySourceType" 7c10cfbc-6892-4590-a05c-c12acf16932b</LI-CODE><P>&nbsp;</P><P>Search retrieving GUID (this works):</P><LI-CODE lang="markup">index="myIndex" host="myHost" sourcetype="mySourceType" &lt;phoneNumber&gt; | rex field=_raw "(?&lt;GUID&gt;\].*$$)" | rex field=GUID "(?&lt;GUID&gt;[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID</LI-CODE><P>&nbsp;</P><P>What I thought the subsearch should look like:</P><LI-CODE lang="markup">index="myIndex" sourcetype="mySourceType" [search index="myIndex" host="myHost" sourcetype="mySourceType" &lt;phoneNumber&gt; | rex field=_raw "(?&lt;GUID&gt;\].*$$)" | rex field=GUID "(?&lt;GUID&gt;[^NAME]+)" | eval GUID=replace(GUID, "]", "") | rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g" | dedup GUID | table GUID]</LI-CODE><P>Everything in the [] returns the GUID, as I understand the doc, that should be what is searched for in the main search.&nbsp; What am I missing?</P><P>Thank you!</P><P>Brian</P> Tue, 09 Nov 2021 15:11:09 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574213#M200112 gillockb 2021-11-09T15:11:09Z https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574217#M200115 <P>Try adding a join:</P><P>The sub search should produce the GUID based on your logic, however the format of the GUID in the outer search would need to match.&nbsp; If the inner search shows the GUID as</P><PRE>7c10cfbc-6892-4590-a05c-c12acf16932b</PRE><P>after you replace and rex then the outer search would also need to have a match GUID field of&nbsp;</P><PRE>7c10cfbc-6892-4590-a05c-c12acf16932b</PRE><P>index="myIndex" sourcetype="mySourceType"<BR />| join GUID [search index="myIndex" host="myHost" sourcetype="mySourceType" &lt;phoneNumber&gt;<BR />| rex field=_raw "(?&lt;GUID&gt;\].*$$)"<BR />| rex field=GUID "(?&lt;GUID&gt;[^NAME]+)"<BR />| eval GUID=replace(GUID, "]", "")<BR />| rex field=GUID mode=sed "s/(^\s+)|(\s+$)//g"<BR />| dedup GUID<BR />| fields GUID ]<BR />| table GUID, &lt;other fields from the outer search you want to display&gt;</P><P>&nbsp;</P> Tue, 09 Nov 2021 15:21:38 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574217#M200115 jcraumer 2021-11-09T15:21:38Z https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574273#M200128 <P>Thank you, JC.&nbsp; I very much appreciate the assist, unfortunately that didn't help.&nbsp; Returns no results again.</P><P>The regex actually provides me with the GUID.&nbsp; It's a much longer string in the logs.&nbsp; And the first query with the GUID hardcoded gives me the final results I'm looking for.</P><P>Thanks again!&nbsp; Cheers,</P><P>Brian</P> Tue, 09 Nov 2021 18:45:24 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574273#M200128 gillockb 2021-11-09T18:45:24Z https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574469#M200196 <P>Bah!&nbsp; I figured it out.&nbsp; I did not realize the format command was being applied to the subsearch resulting in&nbsp;</P><LI-CODE lang="markup">( ( GUID="7c10cfbc-6892-4590-a05c-c12acf16932b" ) ) </LI-CODE><P><SPAN>instead of just the GUID value.&nbsp; And as the raw data does not contain a GUID field, there was nothing to match it to.&nbsp; Since I constructed the subsearch in the Search app it was giving me just the value I was looking for.&nbsp; Hard lesson learned...</SPAN></P><P>&nbsp;</P><P><SPAN>I ran an Extract&nbsp; New Fields to create the GUID field from the raw data and now am receiving the results I desire.&nbsp; Thanks all for taking a look and thanks again, JC for trying to help!</SPAN></P> Wed, 10 Nov 2021 18:28:18 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574469#M200196 gillockb 2021-11-10T18:28:18Z https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574472#M200197 <P>Glad you were able to figure it out.</P> Wed, 10 Nov 2021 18:41:11 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-not-returning-any-results/m-p/574472#M200197 jcraumer 2021-11-10T18:41:11Z