https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34666#M7508 <P>Yes, the earliest and latest time modifiers for each host take care of that. As long as <EM>main_search</EM> is pretty generic ( sourcetype=syslog for example) you should ind what you need.</P> Thu, 15 Nov 2012 11:51:51 GMT alacercogitatus 2012-11-15T11:51:51Z https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34663#M7505 <P>I am trying to create a search where sub-search returns 2 fields. Field 1) list of servers 2) time.</P> <P>now for example., I get 3 results from the sub-search as host1, host2 and host3 for server field along with that I get 3 time which is host1_time, host2_time and host3_time. </P> <P>I want to search (host1 from host1_time to host1_time + 8 hours) and (host2 from host2_time to host2_time + 8 hours) and (host3 from host3_time to host3_time + 8 hours) I tried many type of search but it is not working.</P> <P>Sub-search can return n value for server field and n value for time field. Any help would be appreciated.</P> Mon, 28 Sep 2020 12:48:22 GMT https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34663#M7505 kvmanjunath 2020-09-28T12:48:22Z https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34664#M7506 <P>I do this using time modifiers. Basically I use the subsearch to find the events, do some time based calculations, reformat the output to not include the implicit AND, and then the subsearch modifies the main search.</P> <P>The subsearch returns something like : <CODE>(host=host1 earliest=host1_time latest=host1_time+8 ) OR (host=host2 earliest=host2_time latest=host2_time+8 )</CODE></P> <P>So your whole search looks like this: </P> <P><CODE>main_search [search index=wherever| stats min(_time) as earliest by host|eval latest=earliest+(8*3600)|format "" "(" "" ")" "OR" ""]</CODE></P> Wed, 14 Nov 2012 18:53:02 GMT https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34664#M7506 alacercogitatus 2012-11-14T18:53:02Z https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34665#M7507 <P>Does it works if sub-search returns n results? for example sub-search returns more than 5 servers and 5 different times for 5 servers.</P> Thu, 15 Nov 2012 06:43:44 GMT https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34665#M7507 kvmanjunath 2012-11-15T06:43:44Z https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34666#M7508 <P>Yes, the earliest and latest time modifiers for each host take care of that. As long as <EM>main_search</EM> is pretty generic ( sourcetype=syslog for example) you should ind what you need.</P> Thu, 15 Nov 2012 11:51:51 GMT https://community.splunk.com/t5/Splunk-Search/returning-multiple-fields-with-multiple-values-from-sub-search/m-p/34666#M7508 alacercogitatus 2012-11-15T11:51:51Z