https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/646806#M223869 <P>As I have told you before, fields from the outer search are not available to the subsearch because the subsearch is executed first.</P><P>Having said that, since you are using a dashboard, you may be able to use a base search, and set a token in the done handler of the base search, which you can then use in the panel search</P> Tue, 13 Jun 2023 12:27:17 GMT ITWhisperer 2023-06-13T12:27:17Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/646783#M223862 <P>Is it possible for me to do a main search and based on the results from main search I find the fileName and want to use it in the inputlookup for a sub-search. I'm using this on dashboard as well, so doing it by map is waiting for inputs in dashboard and never getting populated.<BR /><BR />Lookup with map:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=main Events | stats count, Events | eval fileName= &lt;filename&gt; | eval lookup="| inputlookup ".fileName | map search="| makeresults | map search="$lookup$</LI-CODE> <P>&nbsp;</P> <P><BR />My Current search query:</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=main Events | stats count, Events | eval fileName= &lt;filename&gt; [| inputlookup [| makeresults | eval search=fileName | table search]] | stats count as known by Events | fillnull known values=0 &lt;remaining search&gt;​</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 13 Jun 2023 11:17:43 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/646783#M223862 Thulasinathan_M 2023-06-13T11:17:43Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/646806#M223869 <P>As I have told you before, fields from the outer search are not available to the subsearch because the subsearch is executed first.</P><P>Having said that, since you are using a dashboard, you may be able to use a base search, and set a token in the done handler of the base search, which you can then use in the panel search</P> Tue, 13 Jun 2023 12:27:17 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/646806#M223869 ITWhisperer 2023-06-13T12:27:17Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/647459#M224090 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;, Thanks. Used Tokens and it done the trick.<BR />I try to push these results to a summary index, and will keep on doing this only if the event is not already present in summary index but I want to maintain the count of this events as well. It seems impossible to maintain unique event in summary index and keep on updating the count of events. Could you kindly suggest a solution for this please.</P> Mon, 19 Jun 2023 07:30:08 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/647459#M224090 Thulasinathan_M 2023-06-19T07:30:08Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/647463#M224093 <P>You should check out my talk on <A href="https://www.youtube.com/watch?v=nYSikXNkXdE" target="_self">Summary index idempotency</A></P> Mon, 19 Jun 2023 07:40:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-eval-and-lookups-with-makeresult/m-p/647463#M224093 ITWhisperer 2023-06-19T07:40:51Z