topic If I want to use a field from the main search as a search criteria for a sub-search, what code should I write? in Splunk Search https://community.splunk.com/t5/Splunk-Search/If-I-want-to-use-a-field-from-the-main-search-as-a-search/m-p/590964#M205742 <P>If I want to use a field(alarm_time) from the main search as a search criteria for a sub-search, what code should I write?<BR />In the following code, I want to search for the time they are working&nbsp;<BR /><BR />I want to search Conditions : work_start &lt; alarm_time &lt; work_end&nbsp;<BR />search results you want to get : (work_name=work_b)<BR />____________________________________</P> <LI-CODE lang="markup">| makeresults |eval _raw="alarm_time,host,message 2022/03/26 18:05,test_node,test_down" | multikv forceheader=1 | eval alarm_time_strp = strptime(alarm_time,"%Y/%m/%d %H:%M") | join type=left host [| makeresults |eval _raw="host,work_start,work_end,work_name test_node,2022/03/26 17:00,2022/03/26 18:00,work_a test_node,22022/03/26 18:00,2022/03/26 19:00,work_b test_node,2022/03/26 19:00,2022/03/26 20:00,work_c" | multikv forceheader=1 | eval work_start_strp = strptime(work_start,"%Y/%m/%d %H:%M") | eval work_end_strp = strptime(work_end,"%Y/%m/%d %H:%M") ]</LI-CODE> Mon, 28 Mar 2022 15:44:48 GMT hasegawaarte 2022-03-28T15:44:48Z If I want to use a field from the main search as a search criteria for a sub-search, what code should I write? https://community.splunk.com/t5/Splunk-Search/If-I-want-to-use-a-field-from-the-main-search-as-a-search/m-p/590964#M205742 <P>If I want to use a field(alarm_time) from the main search as a search criteria for a sub-search, what code should I write?<BR />In the following code, I want to search for the time they are working&nbsp;<BR /><BR />I want to search Conditions : work_start &lt; alarm_time &lt; work_end&nbsp;<BR />search results you want to get : (work_name=work_b)<BR />____________________________________</P> <LI-CODE lang="markup">| makeresults |eval _raw="alarm_time,host,message 2022/03/26 18:05,test_node,test_down" | multikv forceheader=1 | eval alarm_time_strp = strptime(alarm_time,"%Y/%m/%d %H:%M") | join type=left host [| makeresults |eval _raw="host,work_start,work_end,work_name test_node,2022/03/26 17:00,2022/03/26 18:00,work_a test_node,22022/03/26 18:00,2022/03/26 19:00,work_b test_node,2022/03/26 19:00,2022/03/26 20:00,work_c" | multikv forceheader=1 | eval work_start_strp = strptime(work_start,"%Y/%m/%d %H:%M") | eval work_end_strp = strptime(work_end,"%Y/%m/%d %H:%M") ]</LI-CODE> Mon, 28 Mar 2022 15:44:48 GMT https://community.splunk.com/t5/Splunk-Search/If-I-want-to-use-a-field-from-the-main-search-as-a-search/m-p/590964#M205742 hasegawaarte 2022-03-28T15:44:48Z Re: If I want to use a field from the main search as a search criteria for a sub-search, what code should I write? https://community.splunk.com/t5/Splunk-Search/If-I-want-to-use-a-field-from-the-main-search-as-a-search/m-p/590965#M205743 <P>In general case, you don't "pass parameters" to a subsearch. It's the other way around - the subsearch is evaluated first, its results are rendered to a condition or set of conditions which gets appended to the main search.</P><P>You can use the map command to launch a subsearch with parameters coming from the main search but it's for a very very rare cases.</P><P>As a rule of thumb you should avoid subsearches whenever you can - they have their limitations and can fail silently and fail you in a very nasty way.</P><P>Huge part of searches you'd initially try to write with subsearches (and joins) can be rewritten as stats.</P> Sat, 26 Mar 2022 10:34:58 GMT https://community.splunk.com/t5/Splunk-Search/If-I-want-to-use-a-field-from-the-main-search-as-a-search/m-p/590965#M205743 PickleRick 2022-03-26T10:34:58Z