https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83553#M21284 <P>This is exactly what I was looking for, thank you!</P> Wed, 03 Apr 2013 18:29:13 GMT msarro 2013-04-03T18:29:13Z https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83551#M21282 <P>Hey everyone, I am pretty sure this is a simple question, but I'd appreciate a sanity check.</P> <P>When I run the following command I get a list of values (2910 results, suppose one value is the string "ReturnedValueX"):</P> <PRE><CODE>index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD </CODE></PRE> <P>When i try to run it as a subsearch to another search command however, I get 0 results.</P> <PRE><CODE>index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|table MY_OTHER_FIELD] </CODE></PRE> <P>BUT, if I take one of the values from MY_OTHER_FIELD and use it as a string in the search command like this I get results:</P> <PRE><CODE>index=myothersearchindex host="myserver*" "ReturnedValueX" </CODE></PRE> <P>The only possible issues I can think of are:<BR /> 1) The number of results from the subsearch is too high<BR /> 2) There are no defined fields in index=myothersearchindex, just raw log data. The goal is to take the list of string values from the subsearch and use it to limit the results of the outer search.</P> Mon, 28 Sep 2020 13:39:52 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83551#M21282 msarro 2020-09-28T13:39:52Z https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83552#M21283 <P>Hello msarro,</P> <P>I think I see what you are trying to do which is to pass the values up from a subsearch to main search. For this you will need the to use the <STRONG>return</STRONG> command. By default <STRONG>return</STRONG> only returns one value, but you can increase that. There are performance implications to increases the return value.</P> <P>Here is my example not knowing your data. <BR /> <CODE></CODE><PRE><CODE><BR /> index=myothersearchindex host="myserver*" [search index=mysearchindex host=myserver* My_Field="901089187"|return 10 MY_OTHER_FIELD]<BR /> </CODE></PRE></P> <P>What your search is accually looks like.<BR /> <CODE></CODE><PRE><CODE><BR /> index=myothersearchindex host="myserver*" MY_OTHER_FIELD="Value1" OR MY_OTHER_FIELD="Value2" OR MY_OTHER_FIELD="Value3" OR MY_OTHER_FIELD="Value4" OR MY_OTHER_FIELD="Value5" OR MY_OTHER_FIELD="Value6"<BR /> </CODE></PRE></P> <P>If you just want the values use <STRONG>... | return 10 $MY_OTHER_FIELD</STRONG></P> <P>Additional Reading:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Return">Return</A></P> <P>Hope this helps or gets you started. If it does don't forget to vote up and/or accept the answer.</P> <P>Cheers</P> Wed, 03 Apr 2013 16:56:06 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83552#M21283 bmacias84 2013-04-03T16:56:06Z https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83553#M21284 <P>This is exactly what I was looking for, thank you!</P> Wed, 03 Apr 2013 18:29:13 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-in-search-command-not-returning-results/m-p/83553#M21284 msarro 2013-04-03T18:29:13Z