https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255693#M76563 <P>You cannot name a search by you can achieve what you're looking for by renaming the fields in each of the searches, like so.</P> <PRE><CODE>host="1.1.1.1" VPN=A | eval searchA_time=_time | join IP [search host="1.1.1.1" VPN=b | eval searchB_time=_time | fields searchB_time ] table searchA_time searchB_time username </CODE></PRE> Tue, 17 May 2016 12:18:55 GMT sundareshr 2016-05-17T12:18:55Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255692#M76562 <P>Dear all,</P> <P>I have a following search</P> <PRE><CODE>host="1.1.1.1" VPN=A | join IP [search host="1.1.1.1" VPN=b] table _time,username </CODE></PRE> <P>May I know is it possible give a name to the main search and sub search, such as searchA and searchB. so when I create a table, I can call out searchA._time and searchB._time</P> <P>Thanks</P> Tue, 29 Sep 2020 09:44:06 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255692#M76562 peterchow 2020-09-29T09:44:06Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255693#M76563 <P>You cannot name a search by you can achieve what you're looking for by renaming the fields in each of the searches, like so.</P> <PRE><CODE>host="1.1.1.1" VPN=A | eval searchA_time=_time | join IP [search host="1.1.1.1" VPN=b | eval searchB_time=_time | fields searchB_time ] table searchA_time searchB_time username </CODE></PRE> Tue, 17 May 2016 12:18:55 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255693#M76563 sundareshr 2016-05-17T12:18:55Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255694#M76564 <P>Hi ,</P> <P>You can try something like this to extract the _time value from main search or sub search .</P> <PRE><CODE>host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username OuterTime InnerTime </CODE></PRE> <P>For such requirement, I would prefer to use stats command as it is much faster. </P> Tue, 17 May 2016 12:46:42 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255694#M76564 badrinath_itrs 2016-05-17T12:46:42Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255695#M76565 <P>thanks a lot. It seems work but the time show sequence number. do you know why</P> Wed, 18 May 2016 07:49:08 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255695#M76565 peterchow 2016-05-18T07:49:08Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255696#M76566 <P>Hi ,</P> <P>The time format will be epoch timestamp and you need to convert to Human readable format using below command. </P> <PRE><CODE>your search .. |convert timeformat="%Y %b %d %H:%M:%S:%3N" ctime(OuterTime) ctime(InnerTime) </CODE></PRE> <P>Hope this resolves your query.</P> <P>Additionally if this solves your query, please mark this thread as answered. </P> Wed, 18 May 2016 23:29:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255696#M76566 badrinath_itrs 2016-05-18T23:29:33Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255697#M76567 <P>It works. Thanks a lot</P> Thu, 19 May 2016 02:37:20 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-name-the-main-search-and-the-subsearch-to/m-p/255697#M76567 peterchow 2016-05-19T02:37:20Z