https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314410#M94119 <P>Is it possible to create a new search based off of results of previous search. My example below I use regex to extract a new column with all my users names that are extracted from User. </P> <PRE><CODE>index="source1" source="event-source" rex field=_raw "(:?string1=\")(?&lt;User&gt;.*)(:?user account\")" </CODE></PRE> <P>My goal would be to then create a new search of each user in another source</P> <PRE><CODE>[Pesudo EXample] index-source1 source-user-source | search User | Select Id, name, phone, etc. </CODE></PRE> Thu, 31 Aug 2017 14:23:59 GMT AHEARNJ 2017-08-31T14:23:59Z https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314410#M94119 <P>Is it possible to create a new search based off of results of previous search. My example below I use regex to extract a new column with all my users names that are extracted from User. </P> <PRE><CODE>index="source1" source="event-source" rex field=_raw "(:?string1=\")(?&lt;User&gt;.*)(:?user account\")" </CODE></PRE> <P>My goal would be to then create a new search of each user in another source</P> <PRE><CODE>[Pesudo EXample] index-source1 source-user-source | search User | Select Id, name, phone, etc. </CODE></PRE> Thu, 31 Aug 2017 14:23:59 GMT https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314410#M94119 AHEARNJ 2017-08-31T14:23:59Z https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314411#M94120 <P>Yes, this is very common. You do it with a <CODE>subsearch</CODE>:<BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutsubsearches">http://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Aboutsubsearches</A></P> Thu, 31 Aug 2017 14:43:03 GMT https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314411#M94120 woodcock 2017-08-31T14:43:03Z https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314412#M94121 <P>It looks something like this ...</P> <PRE><CODE> index-source1 source="user-source" [ search index="source1" source="event-source" | rex field=_raw "(:?string1=\")(?&lt;User&gt;.*)(:?user account\")" | table User ] | table Id, name, phone, etc. </CODE></PRE> <P>To see why this works, you should look at the <CODE>format</CODE> command. It takes all the events from the search and puts them into a field called <CODE>search</CODE> in this format </P> <PRE><CODE> ( ( User="firstUserValue" ) OR ( User="secondUserValue" ) OR ... ) </CODE></PRE> <P>To see what that looks like, run this...</P> <PRE><CODE> index="source1" source="event-source" | rex field=_raw "(:?string1=\")(?&lt;User&gt;.*)(:?user account\")" | table User | format </CODE></PRE> <P>...and then just remember that anything in square brackets is run first and returned that way. If at the end of the square brackets there is only a field named search, then it is returned as-is. If not, then the format command is implicitly run to convert the records to a single return field named <CODE>search</CODE>. </P> <P>(There are also a couple of other possibilities, like using the <CODE>return</CODE> verb, but those are what matter for your question here.)</P> Thu, 31 Aug 2017 23:17:40 GMT https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314412#M94121 DalJeanis 2017-08-31T23:17:40Z https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314413#M94122 <P>What he said.</P> Fri, 01 Sep 2017 00:17:08 GMT https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314413#M94122 woodcock 2017-09-01T00:17:08Z https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314414#M94123 <P>Thanks for such a detailed response. I really appreciate the explanation. </P> Fri, 01 Sep 2017 02:33:16 GMT https://community.splunk.com/t5/Splunk-Search/How-does-subsearch-work/m-p/314414#M94123 AHEARNJ 2017-09-01T02:33:16Z