https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741381#M240608 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308398">@dzhangw7</a>&nbsp;,</P><P>why are you using a subsearch?</P><P>you can put all the conditions in the main search:</P><LI-CODE lang="markup">index=my_index "Check something" (("Extracted entities" AND "'date': None") OR extracted_entities.date=null) | timechart count by classification</LI-CODE><P>eventually adding a condition on identity_id</P><LI-CODE lang="markup">index=my_index "Check something" (("Extracted entities" AND "'date': None") OR extracted_entities.date=null) identity_id=* | timechart count by classification</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 11 Mar 2025 07:49:48 GMT gcusello 2025-03-11T07:49:48Z https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741363#M240604 <P>Can someone help create an equivalent query to the following, without using subsearch? There are probably too many results and the query does not complete.</P><P>&nbsp;</P><P>index=my_index&nbsp;<BR />[search index=my_index ("Extracted entities" AND "'date': None") OR extracted_entities.date=null | stats count by entity_id | fields entity_id | format]<BR />"Check something" | timechart count by classification</P><P>&nbsp;</P><P>Basically I want to extract the list of entity_ids from this search:&nbsp;[search index=my_index ("Extracted entities" AND "'date': None") OR extracted_entities.date=null] where dates are null and then use those IDs to correlate in a second search&nbsp;"Check something" which has a field "classification", and then I want to do a timechart on the result to see a line graph of events where a date was missing from an event, plus with a given classification.</P> Tue, 11 Mar 2025 04:29:31 GMT https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741363#M240604 dzhangw7 2025-03-11T04:29:31Z https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741381#M240608 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/308398">@dzhangw7</a>&nbsp;,</P><P>why are you using a subsearch?</P><P>you can put all the conditions in the main search:</P><LI-CODE lang="markup">index=my_index "Check something" (("Extracted entities" AND "'date': None") OR extracted_entities.date=null) | timechart count by classification</LI-CODE><P>eventually adding a condition on identity_id</P><LI-CODE lang="markup">index=my_index "Check something" (("Extracted entities" AND "'date': None") OR extracted_entities.date=null) identity_id=* | timechart count by classification</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 11 Mar 2025 07:49:48 GMT https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741381#M240608 gcusello 2025-03-11T07:49:48Z https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741391#M240610 <P>As <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a> already pointed out - if your subsearch reaches to the same index as the outer search, it's pointless to do it this way. Limiting the base search is enough.</P><P>But if you want to correlate events from two different indexes, you'd need to search from both indexes at the same time (join conditions with OR) and then do some stats by common field.</P><P>Anyway,</P><PRE>| stats count by entity_id | fields entity_id</PRE><P>doesn't make much sense. It's enough to do</P><PRE>| stats values(entity_id) as entity_id</PRE><P>&nbsp;</P> Tue, 11 Mar 2025 09:16:16 GMT https://community.splunk.com/t5/Splunk-Search/Equivalent-timechart-correlation-query-without-subsearch/m-p/741391#M240610 PickleRick 2025-03-11T09:16:16Z