topic Re: How to write subquery in splunk in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-write-subquery-in-splunk/m-p/108954#M28410 <P>I think you may do it all in one search for this use case:</P> <PRE><CODE> index="test" sourcetype="power_test" | chart max(Power) as max_power first(Power) as recent_power over host | sort 10 -max(Power) </CODE></PRE> Thu, 26 May 2011 16:13:14 GMT bwooden 2011-05-26T16:13:14Z How to write subquery in splunk https://community.splunk.com/t5/Splunk-Search/How-to-write-subquery-in-splunk/m-p/108953#M28409 <P>Hello,</P> <P>I am drawing a view having one table. My table has two columns host and max(power). I want to add one more column which has latest value of the particular host. My module is :</P> <PRE><CODE>&lt;module name="HiddenSearch" layoutPanel="panel_row2_col2" group="Power Usage" autoRun="True"&gt; &lt;param name="search"&gt;index="test" sourcetype="power_test"[search index="test" sourcetype="power_test" | chart max(Power) as powerc over host | sort -Date,-Time] | fields powerc | chart max(Power),max(powerc) over host | sort 10 -max(Power)&lt;/param&gt; &lt;param name="groupLabel"&gt;Power Usage&lt;/param&gt; &lt;module name="ViewstateAdapter"&gt; &lt;module name="HiddenFieldPicker"&gt; &lt;param name="strictMode"&gt;True&lt;/param&gt; &lt;module name="JobProgressIndicator"&gt; &lt;module name="EnablePreview"&gt; &lt;param name="enable"&gt;True&lt;/param&gt; &lt;param name="display"&gt;False&lt;/param&gt; &lt;module name="SimpleResultsTable"&gt; &lt;param name="allowTransformedFieldSelect"&gt;True&lt;/param&gt; &lt;/module&gt; &lt;/module&gt; &lt;/module&gt; &lt;/module&gt; &lt;/module&gt; &lt;/module&gt; </CODE></PRE> <P>I am trying to write sub-query which will return latest value of a particular host. That's why i am trying to sort by date and time. </P> <P>But query is giving zero results. Please correct me.</P> <P>Thanks in advance,</P> <P>Geetanjali </P> Thu, 26 May 2011 12:59:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-subquery-in-splunk/m-p/108953#M28409 geetanjali 2011-05-26T12:59:35Z Re: How to write subquery in splunk https://community.splunk.com/t5/Splunk-Search/How-to-write-subquery-in-splunk/m-p/108954#M28410 <P>I think you may do it all in one search for this use case:</P> <PRE><CODE> index="test" sourcetype="power_test" | chart max(Power) as max_power first(Power) as recent_power over host | sort 10 -max(Power) </CODE></PRE> Thu, 26 May 2011 16:13:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-subquery-in-splunk/m-p/108954#M28410 bwooden 2011-05-26T16:13:14Z