https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305682#M91745 <P>hi </P> <P>Sorry. No look there as</P> <P>Invalid value "$Start_epoc$" for time term 'earliest'</P> <P>I think as both searches run together i have to pass the earlist into the second search for each row.<BR /> THere migh be 100 rows, so i need the second search to run each time with different earliest=$Start_epoc$ latest=$Stop_epoc$ from the first search.</P> Tue, 29 Sep 2020 18:48:29 GMT robertlynch2020 2020-09-29T18:48:29Z https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305680#M91743 <P>Hi </P> <P>I need my appendcols to take values from my first search. Specifically two values of time produce in the first search Start_epoc and Stop_epoc. For each row as the first search will produce multiple rows, and i need the second search to produce the same amount.</P> <P>Then i want to use them in the second search like below.</P> <P>earliest=$Start_epoc$ latest=$Stop_epoc$.</P> <PRE><CODE>| inputlookup Saved_Tests.csv | where Host="UBS-RC_QCST_MASTER" | where 1=1 | search Dev_Optimization="*" | search Functional_Optimization="*" | eval Start_epoc=Start | eval Stop_epoc=Stop | convert ctime(Start) | convert ctime(Stop) | table ID, host, Start_epoc , Stop_epoc | head 1001 | sort 0 - by ID | appendcols [| tstats count where index="mlc_live" host=UBS-RC_QCST_MASTER sourcetype="MX_TIMING2" earliest=$Start_epoc$ latest=$Stop_epoc$ by _indextime host | stats sum(count) as No_Of_MXTIMING_lines by host | table No_Of_MXTIMING_lines ] </CODE></PRE> Tue, 29 Sep 2020 18:47:50 GMT https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305680#M91743 robertlynch2020 2020-09-29T18:47:50Z https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305681#M91744 <P>I have modified the query as per your comment</P> <P>Could you please try this query </P> <P>| inputlookup Saved_Tests.csv <BR /> | where Host="UBS-RC_QCST_MASTER" <BR /> | where 1=1 <BR /> | search Dev_Optimization="<EM>" <BR /> | search Functional_Optimization="</EM>" <BR /> | eval Start_epoc=Start <BR /> | eval Stop_epoc=Stop <BR /> | convert ctime(Start) <BR /> | convert ctime(Stop) <BR /> | table ID, host, Start_epoc , Stop_epoc <BR /> | head 1001 <BR /> | sort 0 - by ID | join Start_epoc Stop_epoc [search | tstats count where index="mlc_live" host=UBS-RC_QCST_MASTER sourcetype="MX_TIMING2" earliest=Start_epoc latest=Stop_epoc by _indextime host <BR /> | stats sum(count) as No_Of_MXTIMING_lines by host <BR /> | table No_Of_MXTIMING_lines ]</P> Tue, 29 Sep 2020 18:47:57 GMT https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305681#M91744 logloganathan 2020-09-29T18:47:57Z https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305682#M91745 <P>hi </P> <P>Sorry. No look there as</P> <P>Invalid value "$Start_epoc$" for time term 'earliest'</P> <P>I think as both searches run together i have to pass the earlist into the second search for each row.<BR /> THere migh be 100 rows, so i need the second search to run each time with different earliest=$Start_epoc$ latest=$Stop_epoc$ from the first search.</P> Tue, 29 Sep 2020 18:48:29 GMT https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305682#M91745 robertlynch2020 2020-09-29T18:48:29Z https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305683#M91746 <P>I have edited the answer as per your comment. Could you please try that query</P> Thu, 29 Mar 2018 08:54:57 GMT https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305683#M91746 logloganathan 2018-03-29T08:54:57Z https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305684#M91747 <P>Considering sources for both your searches are faster (lookup table file and tstats query), you can use <CODE>map</CODE> command like this</P> <PRE><CODE>| inputlookup Saved_Tests.csv | where Host="UBS-RC_QCST_MASTER" | where 1=1 | search Dev_Optimization="*" | search Functional_Optimization="*" | eval Start_epoc=Start | eval Stop_epoc=Stop | convert ctime(Start) | convert ctime(Stop) | table ID, host, Start_epoc , Stop_epoc | head 1001 | map maxsearches=1001 search="| tstats count where index=mlc_live host=UBS-RC_QCST_MASTER sourcetype=MX_TIMING2 earliest=$Start_epoc$ latest=$Stop_epoc$ by _indextime host | stats sum(count) as No_Of_MXTIMING_lines by host | eval ID=\"$ID$\" | eval Start_epoch=$Start_epoc$ | eval Stop_epoc=$Stop_epoc$" | sort 0 - by ID | table ID, host, Start_epoc , Stop_epoc No_Of_MXTIMING_lines </CODE></PRE> Thu, 29 Mar 2018 09:31:53 GMT https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305684#M91747 somesoni2 2018-03-29T09:31:53Z https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305685#M91748 <P>Super super thanks so much <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Also by changing the second search to tstats with out stats it goes much quicker</P> <P>| map maxsearches=20 search="| tstats summariesonly=true count(MXTIMING.Elapsed) as No_Of_MXTIMING_lines FROM datamodel=MXTIMING_V7 WHERE <BR /> host=QCST_RSAT_40 earliest=$Start_epoc$ latest=$Stop_epoc$ </P> Tue, 29 Sep 2020 18:53:04 GMT https://community.splunk.com/t5/Splunk-Search/appendcols-to-take-values-from-my-first-search-for-each-row/m-p/305685#M91748 robertlynch2020 2020-09-29T18:53:04Z