https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630089#M218894 <P>Does this work for you?</P><LI-CODE lang="markup">index="myIndex" source="mySource2" "User:myUserID The user is authenticated and logged in." [search index="myIndex" source="mySource1" | rex "Naam van gebruiker: (?&lt;USER&gt;.+) -" | dedup USER | table USER | sort USER | format] | stats latest(_raw) by USER</LI-CODE><P>Basically, use the search on mySource1 to find a list of USERs which you use to filter mySource2</P> Wed, 08 Feb 2023 12:13:38 GMT ITWhisperer 2023-02-08T12:13:38Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630085#M218891 <P>Hi, I have the following joined Splunk query:<BR /><BR /></P><LI-CODE lang="markup">index="myIndex" source="mySource1" | fields _time, _raw | rex "Naam van gebruiker: (?&lt;USER&gt;.+) -" | dedup USER | table USER | sort USER | join type=left [ search index="myIndex" source="mySource2" "User:myUserID The user is authenticated and logged in." | stats latest(_raw) ]</LI-CODE><P>The results look like this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bleepie_0-1675856259250.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23776i0EB05AD922354545/image-size/medium?v=v2&amp;px=400" role="button" title="Bleepie_0-1675856259250.png" alt="Bleepie_0-1675856259250.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bleepie_1-1675856264124.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/23777i00077C02002C95CE/image-size/medium?v=v2&amp;px=400" role="button" title="Bleepie_1-1675856264124.png" alt="Bleepie_1-1675856264124.png" /></span></P><P>Green is myUserID. Red is some other persons user ID. Because I am using my hardcoded user ID, every person gets the "latest(_raw)" record corresponding to my user id. I want each user to get their own event. I believe this can be done if I use the USER field in the second search, but I don't know the syntax to get it to work. I tried:</P><P>"User:'USER' The user is authenticated and logged in."</P><P>And also</P><P>"User:\USER\ The user is authenticated and logged in."</P><P>But these don't work. What is the correct syntax?</P><P>&nbsp;</P> Wed, 08 Feb 2023 11:41:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630085#M218891 Bleepie 2023-02-08T11:41:17Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630089#M218894 <P>Does this work for you?</P><LI-CODE lang="markup">index="myIndex" source="mySource2" "User:myUserID The user is authenticated and logged in." [search index="myIndex" source="mySource1" | rex "Naam van gebruiker: (?&lt;USER&gt;.+) -" | dedup USER | table USER | sort USER | format] | stats latest(_raw) by USER</LI-CODE><P>Basically, use the search on mySource1 to find a list of USERs which you use to filter mySource2</P> Wed, 08 Feb 2023 12:13:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630089#M218894 ITWhisperer 2023-02-08T12:13:38Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630092#M218896 <P>Hi, this does not return any results. If I run the outher query and inner query both seperately, they work. But together Splunk replies "No results found. Try expanding the time range."</P><P>Also, in this query you still use a hardcoded user id.</P> Wed, 08 Feb 2023 12:41:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630092#M218896 Bleepie 2023-02-08T12:41:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630098#M218900 <P>Maybe I need to clarify a bit:</P><P>&nbsp;</P><P>Source 1 :</P><P><SPAN class="">2023-02-01</SPAN> <SPAN class="">17:00:01</SPAN> <SPAN class="">-</SPAN> <SPAN class="">Naam</SPAN> <SPAN class="">van</SPAN> <SPAN class="">gebruiker:</SPAN> <SPAN class="">hank</SPAN> <SPAN class="">-</SPAN> <SPAN class="">Rol</SPAN> <SPAN class="">van</SPAN> <SPAN class="">gebruiker:</SPAN> <SPAN class="">operator</SPAN></P><P><SPAN class="">2023-02-02</SPAN> <SPAN class="">17:00:01</SPAN> <SPAN class="">-</SPAN> <SPAN class="">Naam</SPAN> <SPAN class="">van</SPAN> <SPAN class="">gebruiker:</SPAN> <SPAN class="">skylar</SPAN> <SPAN class="">-</SPAN> <SPAN class="">Rol</SPAN> <SPAN class="">van</SPAN> <SPAN class="">gebruiker:</SPAN> <SPAN class="">operator</SPAN></P><P><SPAN class="">2023-02-03 17:00:01 - Naam van gebruiker: walt - Rol van gebruiker: operator</SPAN></P><P>&nbsp;</P><P>Source 2 :</P><P><SPAN>2023-02-06 13:49:57,654 User:hank The user is authenticated and logged in.</SPAN></P><P><SPAN>2023-02-07 13:49:57,654 User:skylar The user is authenticated and logged in.</SPAN></P><P><SPAN>2023-02-08 13:49:57,654 User:walt The user is authenticated and logged in.</SPAN></P><P><SPAN>2023-02-03 13:49:57,654 User:hank The user is authenticated and logged in.</SPAN></P><P><SPAN>2023-02-02 13:49:57,654 User:skylar The user is authenticated and logged in.</SPAN></P><P><SPAN>2023-02-01 13:49:57,654 User:walt The user is authenticated and logged in.</SPAN></P><P>&nbsp;</P><P>I need a table. In that table I need a field called USER. USER is the name fetched from source 1. I also need a field called LATEST. In that field I want the entire row from source 2, but only the latest. So for example, I want the following output:<BR /><BR />USER, LATEST<BR />hank,&nbsp;<SPAN>2023-02-03 13:49:57,654 User:hank The user is authenticated and logged in.</SPAN><BR />skylar,&nbsp;<SPAN>2023-02-02 13:49:57,654 User:skylar The user is authenticated and logged in.</SPAN><BR />walt,&nbsp;<SPAN>2023-02-01 13:49:57,654 User:walt The user is authenticated and logged in.</SPAN></P> Wed, 08 Feb 2023 12:55:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630098#M218900 Bleepie 2023-02-08T12:55:43Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630101#M218903 <P>Have you already extracted USER from source2, or do you need to add a rex to do that too? (Your original post didn't include it, so I assumed it was already extracted.) Try something like this</P><LI-CODE lang="markup">index="myIndex" source="mySource2" "The user is authenticated and logged in." | rex "User:(?&lt;USER&gt;\w+) The user is authenticated and logged in." | search [search index="myIndex" source="mySource1" | rex "Naam van gebruiker: (?&lt;USER&gt;.+) -" | dedup USER | table USER | sort USER | format] | stats latest(_raw) by USER</LI-CODE><P>&nbsp;</P> Wed, 08 Feb 2023 13:09:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630101#M218903 ITWhisperer 2023-02-08T13:09:14Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630107#M218904 <P>Yes, both sources need the user extracted. I tried to ran your latest query but no results show up.</P><P>&nbsp;</P><P>I tried running it piece by piece:<BR /><BR /></P><LI-CODE lang="markup">index="myIndex" source="mySource2" "The user is authenticated and logged in." | rex "User:(?&lt;USER&gt;\w+) The user is authenticated and logged in." | table USER | dedup USER</LI-CODE><P>This will give me a list of users found within source 2. If I don't use the table and dedup I get all events instead.</P><P>If I run the other query:</P><LI-CODE lang="markup">index="myIndex" source="mySource1" | rex "Naam van gebruiker: (?&lt;USER&gt;.+) -" | dedup USER | table USER | sort USER</LI-CODE><P>It returns a list of users found in the first source. Again, if I don't use dedup and table I get all the events.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 08 Feb 2023 13:30:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630107#M218904 Bleepie 2023-02-08T13:30:17Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630109#M218905 <P>Not sure if I replied directly under you, check my response a few seconds ago.</P> Wed, 08 Feb 2023 13:31:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630109#M218905 Bleepie 2023-02-08T13:31:09Z https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630125#M218911 <P>I have been playing and managed to get both sources like so:<BR /><BR /></P><LI-CODE lang="markup">index="myIndex" source="mySource2" "The user is authenticated and logged in." | rex "User:(?&lt;USERLEFT&gt;\w+) The user is authenticated and logged in." | dedup USERLEFT | append [search index="myIndex" source="mySource2" | rex "Naam van gebruiker: (?&lt;USERRIGHT&gt;.+) -" | dedup USERRIGHT ]</LI-CODE><P>&nbsp;</P><P>I can display both users from either source. The only thing I am missing now is how to build and compare both sources to get what I need.</P> Wed, 08 Feb 2023 14:35:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-field-inside-quoted-search-as-a-variable/m-p/630125#M218911 Bleepie 2023-02-08T14:35:53Z