https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159521#M45030 <P>This should do it:</P> <PRE><CODE>index=app sourcetype="***" | eval timePlus1 = _time + 1 | eval myTimes=if(route="CallIntake" AND action="New", _time . ":" . timePlus1,_time) | makemv delim=":" myTimes | stats values(*) AS * by UserName myTimes | where action="StartCall" AND route="CallIntake" </CODE></PRE> Mon, 03 Aug 2015 16:30:51 GMT woodcock 2015-08-03T16:30:51Z https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159519#M45028 <P>Hey folks,</P> <P>I am really new to Splunk and this has bothered me for several days. I have following data by a query:<BR /> DateTime UserName ID Route Action<BR /> 07/30/2015 09:56:41 AMSEyerushalmi 15142095186 CallIntake New<BR /> 07/30/2015 09:33:59 AMSHjansen 30780945-d17b-4785-a1b1-11426cfedfa5 Agent EndCall<BR /> 07/30/2015 09:33:59 AMSHjansen 15142087154 Autodoc Update_ICase<BR /> 07/30/2015 09:34:00 AMSHjansen 30780945-d17b-4785-a1b1-11426cfedfa5 Application StartCall<BR /> 07/30/2015 09:35:58 AMSHjansen 30780945-d17b-4785-a1b1-11426cfedfa5 CallIntake New<BR /> 07/30/2015 09:35:58 AMSHjansen 15142091213 Application StartCall<BR /> 07/30/2015 09:35:59 AMSHjansen 15142091213 ProductSearch SearchLodging<BR /> 07/30/2015 09:35:59 AMSHjansen 15142091213 ProductSearch SearchLodging<BR /> 07/30/2015 09:35:59 AMSHjansen 15142091213 ProductSearch SearchLodging</P> <P>and my search is:</P> <PRE><CODE>index=app sourcetype="***" | convert ctime(_time) as DateTime | table DateTime UserName ID Route Action | sort UserName by DateTime </CODE></PRE> <P>I want to find all the Application/StartCall routes and in the same second or previous second there is a CallIntake/New with the same UserName.</P> <P>So for this one, it should return me <STRONG>07/30/2015 09:35:58 AMSHjansen 15142091213 Application StartCall</STRONG>. Because in the same second, there's a CallIntake/New and also it is "AMSHjansen".</P> <P>Should I do this by a subsearch? This has bothered me for several days.</P> <P>Any help will be appreciated. </P> Mon, 03 Aug 2015 16:02:03 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159519#M45028 sureleo 2015-08-03T16:02:03Z https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159520#M45029 <P>Try this</P> <PRE><CODE>index=app sourcetype="***" Application StartCall [ search index=app sourcetype="***" CallIntake New | eval earliest=_time| eval latest=_time+2 | fields UserName earliest latest | FORMAT "(" "(" "" ")" "OR" ")" ] </CODE></PRE> <P>First, the subsearch finds all "Callintake New" actions. Then the outer search uses the timeranges and UserNames to choose the "Application StartCall" events.</P> Mon, 03 Aug 2015 16:18:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159520#M45029 lguinn2 2015-08-03T16:18:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159521#M45030 <P>This should do it:</P> <PRE><CODE>index=app sourcetype="***" | eval timePlus1 = _time + 1 | eval myTimes=if(route="CallIntake" AND action="New", _time . ":" . timePlus1,_time) | makemv delim=":" myTimes | stats values(*) AS * by UserName myTimes | where action="StartCall" AND route="CallIntake" </CODE></PRE> Mon, 03 Aug 2015 16:30:51 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159521#M45030 woodcock 2015-08-03T16:30:51Z https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159522#M45031 <P>I had a typo, try again.</P> Mon, 03 Aug 2015 16:43:52 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-do-a-subsearch-in-group-by/m-p/159522#M45031 woodcock 2015-08-03T16:43:52Z