https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163443#M46394 <P>I am not <EM>sure</EM> that this will be better, but try it:</P> <PRE><CODE>sourcetype=FW [ search index=ABC | dedup IP | eval src_ip=IP | eval dest_ip=IP | fields src_ip dest_ip | format "(" "(" "OR" ")" "OR" ")" ] </CODE></PRE> <P>You don't really need all the parentheses in the <CODE>format</CODE> command, but it was hard to read when I substituted spaces instead. And the end result will be the same.</P> <P>It is only one subsearch instead of two, and it will specify the fields to search.</P> Tue, 03 Dec 2013 06:28:47 GMT lguinn2 2013-12-03T06:28:47Z https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163440#M46391 <P>I am monitoring a directory with multiple CSV files and indexing these to say an index "ABC". The goal is to extract a field "IP" from this index and match it against multiple fields (src_ip, dst_ip) in different sourcetypes which will be the main search.</P> <P>I am using the following query:</P> <P>sourcetype=FW [search index=ABC| rename IP as search | fields search |format]</P> <P>This query returns events from sourcetype=FW where any field matches "IP" and it's slow. I would like to search the "IP" only in src_ip and dst_ip fields in the FW. </P> <P>How can I achieve this? Is subsearch the right solution in this case, because the list of "IP" in index "ABC" is going to get longer everyday?</P> Mon, 28 Sep 2020 15:24:16 GMT https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163440#M46391 spj2 2020-09-28T15:24:16Z https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163441#M46392 <P>What is in the CSV files? Do they contain time-stamped events, or are they more like lists or tables of IP addresses?</P> Tue, 03 Dec 2013 06:19:14 GMT https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163441#M46392 lguinn2 2013-12-03T06:19:14Z https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163442#M46393 <P>Try This</P> <PRE><CODE>sourcetype=FW [search index=ABC | stats count by IP | rename IP as src_ip | fields - count] OR [search index=ABC | stats count by IP | rename IP as dst_ip | fields - count] </CODE></PRE> <P>This will take unique values of IP from index=ABC (stats is the fastest way) then using subsearch a clause will be added as filter "src_ip=<VALUES found="" from="" index="ABC">". Same is repeated for dst_ip, added as OR clause.</VALUES></P> Mon, 28 Sep 2020 15:24:27 GMT https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163442#M46393 somesoni2 2020-09-28T15:24:27Z https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163443#M46394 <P>I am not <EM>sure</EM> that this will be better, but try it:</P> <PRE><CODE>sourcetype=FW [ search index=ABC | dedup IP | eval src_ip=IP | eval dest_ip=IP | fields src_ip dest_ip | format "(" "(" "OR" ")" "OR" ")" ] </CODE></PRE> <P>You don't really need all the parentheses in the <CODE>format</CODE> command, but it was hard to read when I substituted spaces instead. And the end result will be the same.</P> <P>It is only one subsearch instead of two, and it will specify the fields to search.</P> Tue, 03 Dec 2013 06:28:47 GMT https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163443#M46394 lguinn2 2013-12-03T06:28:47Z https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163444#M46395 <P>Thanks somesoni2 and lguinn. Both the solutions worked and took exactly the same amount of time.</P> Tue, 03 Dec 2013 14:31:13 GMT https://community.splunk.com/t5/Splunk-Search/Matching-specific-fields-in-main-search-with-the-results-from/m-p/163444#M46395 spj2 2013-12-03T14:31:13Z