https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182188#M52546 <P>what does the syntax look like so I can pull Multiple fields from a subsearch to an outer search?</P> <PRE><CODE>index=security "An account was successfully logged on." [search index=randomlogs host=employeetermlist20140311 | rex "(?i)^(?:[^,]*,){2}(?P&lt;ADAcctName&gt;[^,]+)" | rex "(?i) .*?,(?P&lt;TermDate&gt;\\d+/\\d+/\\d+)(?=,)" | rename ADAcctName AS Account_Name | table Account_Name TermDate | fields Account_Name TermDate] | eval NewAccount_Name=mvindex(Account_Name, 1) | stats max(_time) by NewAccount_Name | rename max(_time) AS Last_Login | eval Last_Successful_Login=strftime(Last_Login, "%m/%d/%Y") | table NewAccount_Name TermDate Last_Successful_Login </CODE></PRE> <P>My search works just find without TermDate and I figured out that the problem is with my fields </P> <P>I tried listed them multiple different ways but it never pulls TermDate out with my Account_Name?</P> <P>I know it's something easy just not sure what.</P> Tue, 11 Mar 2014 17:17:13 GMT Phynyte 2014-03-11T17:17:13Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182188#M52546 <P>what does the syntax look like so I can pull Multiple fields from a subsearch to an outer search?</P> <PRE><CODE>index=security "An account was successfully logged on." [search index=randomlogs host=employeetermlist20140311 | rex "(?i)^(?:[^,]*,){2}(?P&lt;ADAcctName&gt;[^,]+)" | rex "(?i) .*?,(?P&lt;TermDate&gt;\\d+/\\d+/\\d+)(?=,)" | rename ADAcctName AS Account_Name | table Account_Name TermDate | fields Account_Name TermDate] | eval NewAccount_Name=mvindex(Account_Name, 1) | stats max(_time) by NewAccount_Name | rename max(_time) AS Last_Login | eval Last_Successful_Login=strftime(Last_Login, "%m/%d/%Y") | table NewAccount_Name TermDate Last_Successful_Login </CODE></PRE> <P>My search works just find without TermDate and I figured out that the problem is with my fields </P> <P>I tried listed them multiple different ways but it never pulls TermDate out with my Account_Name?</P> <P>I know it's something easy just not sure what.</P> Tue, 11 Mar 2014 17:17:13 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182188#M52546 Phynyte 2014-03-11T17:17:13Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182189#M52547 <P>Check to make sure your extractions are the same case as what you are trying to list. TermDate is not the same as termdate.</P> Tue, 11 Mar 2014 20:17:11 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182189#M52547 antlefebvre 2014-03-11T20:17:11Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182190#M52548 <P>I updated the search and it's still not working.</P> <P>index=security "An account was successfully logged on." [search index=randomlogs host=employeetermlist20140311 | rex "(?i)^(?:[^,],){2}(?P<ADACCTNAME>[^,]+)" | rex "(?i) .?,(?P<TERMDATE>\d+/\d+/\d+)(?=,)" | rename ADAcctName AS Account_Name | table Account_Name termdate | fields Account_Name, termdate] | eval NewAccount_Name=mvindex(Account_Name, 1) | stats max(_time) by NewAccount_Name | rename max(_time) AS Last_Login | eval Last_Successful_Login=strftime(Last_Login, "%m/%d/%Y") | table NewAccount_Name termdate Last_Successful_Login</TERMDATE></ADACCTNAME></P> Mon, 28 Sep 2020 16:05:41 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182190#M52548 Phynyte 2020-09-28T16:05:41Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182191#M52549 <P>Yes the inner search works just fine if executed by itself</P> Tue, 11 Mar 2014 20:50:58 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182191#M52549 Phynyte 2014-03-11T20:50:58Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182192#M52550 <P>Yes it does</P> Tue, 11 Mar 2014 20:55:11 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182192#M52550 Phynyte 2014-03-11T20:55:11Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182193#M52551 <P>I'm guessing your full search is pulling the Account_Name from the security index. Not the randomlogs index. In that case your not actually getting a event matches with the termdate.</P> Tue, 11 Mar 2014 21:14:27 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182193#M52551 antlefebvre 2014-03-11T21:14:27Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182194#M52552 <P>Do the index=security have field named TermDate?</P> Tue, 11 Mar 2014 21:31:54 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182194#M52552 somesoni2 2014-03-11T21:31:54Z https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182195#M52553 <P>No term date only exists within the randomlogs search. I just want to pull that field out of the inner search and any account name returned I wanted to match the term date in a table beside it</P> Wed, 12 Mar 2014 11:31:52 GMT https://community.splunk.com/t5/Splunk-Search/Fields-Search-Issue/m-p/182195#M52553 Phynyte 2014-03-12T11:31:52Z