https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587439#M204579 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>&nbsp;<BR /><BR />can you try this&nbsp;<BR /><BR /><SPAN>index=computer_admin source=emp_card_details sourcetype="something:db"<BR />| join type=left <STRONG>C_NAME</STRONG><BR />[| search index=computer_admin source=admin_priv sourcetype=prive:db account_name=admin earliest=-1d<BR /><STRONG>| rename comp_name as C_NAME</STRONG><BR />| table C_NAME,comp_role,account_name,local_gp,gp_name]<BR />| eval arl=lower(C_NAME)<BR />| stats values(asset_owner) by arl<BR /></SPAN></P> Thu, 03 Mar 2022 13:55:32 GMT SanjayReddy 2022-03-03T13:55:32Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587425#M204575 <P>I have 2 Splunk SPLs<BR />=====================<BR />index=computer_admin source=admin_priv sourcetype=prive:db account_name=admin earliest=-1d<BR />| fields comp_name,comp_role,account_name,local_gp,gp_name<BR />| table <STRONG>comp_name,</STRONG>comp_role,account_name,local_gp,gp_name<BR />=====================<BR /><BR />The comp_name fields has values such as ,&nbsp;<BR /><U>AAAAA, BBBBB,&nbsp; CCCCC, AFSGSH, GFDFDF, IUYTE, HGFDJ, ZZZZZ, YYYYYY, IIIIII, EEEEEE</U><BR />Basically I am looking for all the comp_names that the admin is on and copying the list to use in another SPL&nbsp; to get the comp owners.<BR /><BR />Second SPL :<BR />===================<BR />index=computer_admin&nbsp; source=emp_card_details&nbsp; sourcetype="something:db" <STRONG>C_NAME</STRONG> IN (AAAAA, BBBBB,&nbsp; CCCCC, AFSGSH, GFDFDF, IUYTE, HGFDJ, ZZZZZ, YYYYYY, IIIIII, EEEEEE)<BR />| eval arl=lower(C_NAME)<BR />| stats values(asset_owner) by arl<BR />===================<BR /><BR />Can we use subsearch or any thing similar to get it done in on SPL ?<BR />Any assistance ?<BR /><BR /></P> Thu, 03 Mar 2022 13:56:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587425#M204575 zacksoft_wf 2022-03-03T13:56:31Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587439#M204579 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>&nbsp;<BR /><BR />can you try this&nbsp;<BR /><BR /><SPAN>index=computer_admin source=emp_card_details sourcetype="something:db"<BR />| join type=left <STRONG>C_NAME</STRONG><BR />[| search index=computer_admin source=admin_priv sourcetype=prive:db account_name=admin earliest=-1d<BR /><STRONG>| rename comp_name as C_NAME</STRONG><BR />| table C_NAME,comp_role,account_name,local_gp,gp_name]<BR />| eval arl=lower(C_NAME)<BR />| stats values(asset_owner) by arl<BR /></SPAN></P> Thu, 03 Mar 2022 13:55:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587439#M204579 SanjayReddy 2022-03-03T13:55:32Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587443#M204581 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236694">@SanjayReddy</a>&nbsp;The field name is <STRONG>C_NAME</STRONG> in one SPL and&nbsp; <STRONG>comp_name</STRONG> is another SPL,<BR />In that case will,&nbsp; | join type=left C_NAME truly join the two data sets ?<BR />Just curious, my understanding could be wrong here !</P> Thu, 03 Mar 2022 13:53:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587443#M204581 zacksoft_wf 2022-03-03T13:53:48Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587444#M204582 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>&nbsp;<BR /><BR />in sub search we are renaming&nbsp;<SPAN>&nbsp;<STRONG>comp_name</STRONG> as <STRONG>C_NAME</STRONG> to match with data in main query<BR />&nbsp; then both sub search and main searches are joined by common field&nbsp;C_NAME&nbsp;</SPAN></P> Thu, 03 Mar 2022 13:55:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587444#M204582 SanjayReddy 2022-03-03T13:55:08Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587448#M204584 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236694">@SanjayReddy</a>&nbsp; Thanks Sanjay, this helps.<BR />About the&nbsp;earliest=-1d&nbsp; written in the inner SPL, does it mean , it will&nbsp; force both the inner and outer query to run in the -1d time range , irrespective of the time range chosen in the search-bar ?</P> Thu, 03 Mar 2022 14:12:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587448#M204584 zacksoft_wf 2022-03-03T14:12:26Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587449#M204585 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>&nbsp;<BR /><BR /><SPAN><STRONG>earliest=-1d</STRONG> only applicable to inner search&nbsp;<BR /><BR /></SPAN>main search will run on time frame that selected in time range picker&nbsp;<BR /><BR />if you want to run both searches on same time frame you can remove&nbsp;<SPAN>earliest=-1d from inner search&nbsp;<BR />then both searche will run as per time rangepicker time<BR /><BR /><BR />---<BR />If this reply helps you, an upvote/Karma would be appreciated.<BR /></SPAN></P> Thu, 03 Mar 2022 14:21:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Subsearch-to-achieve-this/m-p/587449#M204585 SanjayReddy 2022-03-03T14:21:13Z