https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114486#M30279 <P>Hello sideview.</P> <P>Thank you for the comment.<BR /> The stats command is just the filter for which record should I remain in use.</P> <P>I will look into the format command.</P> Mon, 20 Jan 2014 02:02:55 GMT yuwtennis 2014-01-20T02:02:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114480#M30273 <P>Hi !</P> <P>I would like to have help with search.</P> <P>I would like to pass the results from one search</P> <P>search xxxxx|xxxxx<BR /> result:</P> <H2>fieldA</H2> <P>a<BR /> b<BR /> c<BR /> d<BR /> e</P> <P>to other search as <BR /> search field=a OR field=b OR field=c OR field=d OR field=e | xxxxx</P> <P>Can this be done with append or do you need additional scripting?</P> <P>Thanks,<BR /> Yu</P> Wed, 15 Jan 2014 07:06:18 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114480#M30273 yuwtennis 2014-01-15T07:06:18Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114481#M30274 <P>Have a look at format. <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format</A></P> <P>You can do this by using a subsearch and calling format with custom parameters in order to alter the way the subsearch outputs its results.</P> <PRE><CODE>[search ... | rename fieldA as field | fields field | format "(" "(" "OR" ")" "OR" ")"] | ... </CODE></PRE> Wed, 15 Jan 2014 07:54:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114481#M30274 Ayn 2014-01-15T07:54:44Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114482#M30275 <P>Hi ayn.</P> <P>I think I found more simpler way.<BR /> I would rather use join type=inner join</P> <P>| join type=inner max=0 fieldA [<BR /> search index=test1_it OR index=test2_it earliest="11/1/2013:0:0:0" latest="12/1/2013:0:0:0"<BR /> | sort 0 +fieldA<BR /> | delta Seq as diffSeq p=1<BR /> | search diffSeq=*<BR /> | stats count(eval(diffSeq&gt;0)) as cnt by fieldA<BR /> | fields fieldA ]</P> <P>This is part of actual search.</P> Mon, 28 Sep 2020 15:39:33 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114482#M30275 yuwtennis 2020-09-28T15:39:33Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114483#M30276 <P>That's simpler? o_O</P> Wed, 15 Jan 2014 13:12:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114483#M30276 Ayn 2014-01-15T13:12:57Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114484#M30277 <P>Well I have to bit amend my words.</P> <P>Since the parameters I am passing to the next search will be the results from the stats. Which means I can not use the fixed search commands , like format "(" "(" "OR" ")" "OR" ")"] .</P> <P>So I thought I needed to use the join to merge the results.</P> Fri, 17 Jan 2014 02:23:41 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114484#M30277 yuwtennis 2014-01-17T02:23:41Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114485#M30278 <P>definitely don't use join here. Also if you omit the format command from a subsearch entirely, splunk will sneak one in, and it'll be one with those exact same arguments. So you can simplify Ayn's answer by removing that format command entirely. </P> <P>Also I'm not sure what your intention is with <CODE>stats count(eval(diffSeq&gt;0))</CODE> but since you're only using the distinct values anyway at the end, it's looks completely equivalent to </P> <PRE><CODE>* [search index=test1_it OR index=test2_it earliest="11/1/2013:0:0:0" latest="12/1/2013:0:0:0" | dedup fieldA | fields fieldA ] </CODE></PRE> Fri, 17 Jan 2014 04:14:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114485#M30278 sideview 2014-01-17T04:14:15Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114486#M30279 <P>Hello sideview.</P> <P>Thank you for the comment.<BR /> The stats command is just the filter for which record should I remain in use.</P> <P>I will look into the format command.</P> Mon, 20 Jan 2014 02:02:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114486#M30279 yuwtennis 2014-01-20T02:02:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114487#M30280 <P>Sideview</P> <P>Do you mind if I ask the reason why should I not use the join command?</P> Mon, 20 Jan 2014 02:06:49 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114487#M30280 yuwtennis 2014-01-20T02:06:49Z https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114488#M30281 <P>Hello ayn and sideview.</P> <P>This solution was what I was looking for!</P> <P>Thank you very much!</P> Mon, 20 Jan 2014 02:40:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-pass-the-results-from-one-search-as-a-field-in-another/m-p/114488#M30281 yuwtennis 2014-01-20T02:40:57Z