https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232229#M68870 <P>Hello!</P> <P>I'm interested in passing a result or results (a list of users from proxy logs) from a subsearch into a field in my parent search (against AV logs). I tried using eval, but was unsuccessful. Is it possible to pass results from a subsearch into a variable? Any help would be appreciated!</P> <P>Something like this doesn't work:</P> <PRE><CODE>index=MyData sourcetype=AV_logs user=[index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc </CODE></PRE> Thu, 05 May 2016 15:31:30 GMT Splunkquish 2016-05-05T15:31:30Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232229#M68870 <P>Hello!</P> <P>I'm interested in passing a result or results (a list of users from proxy logs) from a subsearch into a field in my parent search (against AV logs). I tried using eval, but was unsuccessful. Is it possible to pass results from a subsearch into a variable? Any help would be appreciated!</P> <P>Something like this doesn't work:</P> <PRE><CODE>index=MyData sourcetype=AV_logs user=[index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc </CODE></PRE> Thu, 05 May 2016 15:31:30 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232229#M68870 Splunkquish 2016-05-05T15:31:30Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232230#M68871 <P>Remove <CODE>user=</CODE> in your main search. Like this</P> <PRE><CODE>index=MyData sourcetype=AV_logs [index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc </CODE></PRE> Thu, 05 May 2016 15:55:14 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232230#M68871 sundareshr 2016-05-05T15:55:14Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232231#M68872 <P>I'm still not having any luck with my query. When I run my subsearch separately, it successfully produces a table of values, but when it's with a parents search, I get "no results found." Is there a way to pass values from a subsearch directly to a field in my parent search?</P> <P>Thanks for your help!</P> Thu, 05 May 2016 18:36:04 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232231#M68872 Splunkquish 2016-05-05T18:36:04Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232232#M68873 <P>Do you get valid results when you run the main search and the sub search separately? Are there any matching?</P> <P>The option would be to try grouping.. like this<BR /> (index=MyData sourcetype=AV_logs) OR (index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk") | stats values(event) as event values(sourcetype) as st by user | where mvcount(st)=2</P> Tue, 29 Sep 2020 09:36:32 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232232#M68873 sundareshr 2020-09-29T09:36:32Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232233#M68874 <P>There are matching results for the fields I'm interested in in both the main and sub searches.</P> Thu, 05 May 2016 19:05:17 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232233#M68874 Splunkquish 2016-05-05T19:05:17Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232234#M68875 <P>Check fieldnames in both, they are case sensitive. Did you try the second option? Also, there are limitation to subsearch, how many events do both searches return? </P> Thu, 05 May 2016 19:22:34 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232234#M68875 sundareshr 2016-05-05T19:22:34Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232235#M68876 <P>I'm actually testing this with two sets of web traffic logs since most of the data is similar. Both return 3000+ results (source IP) using dedup for a 15 minute period.</P> <P>I haven't tried the other option you suggested. I'm not sure what the "values(event)," "st by user," or "mvcount(st)" means as I've never used them. Is there something I can reference for more information?</P> Thu, 05 May 2016 19:56:16 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232235#M68876 Splunkquish 2016-05-05T19:56:16Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232236#M68877 <P>subsearches should start with <CODE>[ search</CODE>.</P> Tue, 21 Feb 2017 09:00:05 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232236#M68877 sinash 2017-02-21T09:00:05Z https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232237#M68878 <P>Line @sinash said. This would be the updated query</P> <PRE><CODE>index=MyData sourcetype=AV_logs [search index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc </CODE></PRE> Tue, 21 Feb 2017 09:17:40 GMT https://community.splunk.com/t5/Splunk-Search/Passing-results-from-subsearch-to-a-field-in-parent-search/m-p/232237#M68878 rjthibod 2017-02-21T09:17:40Z