https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323620#M96623 <P>Actually I have 2 below logger, In that common field is UniqueReqId only.</P> <P>LOGGER([UniqueReqId]+[MyLogger])<BR /> LOGGER([UniqueReqId]+[userName]+[Action])</P> <P>So my requirement is i need to find out the UniqueReqId which contains MyLogger.[ This i want to search in sub-search block.]</P> <P>once i will get the <BR /> all possible UniqueReqId in sub-search then We need to find out the userName who is using action=myAction and UniqueReqId=[Multiple UniqueReqId from subsearch].<BR /> So fetch the userName from all possible UniqueReqId got from subsearch where action=myAction.</P> <P>We have multiple actions, so action=MyAction and UniqueReqId=(02191c34-b485,0228ff59,02be90c8,02e2ef7f etc)</P> <P>MyLogger is not require here, because it does not apear in other logger.</P> <P>Below command is working fine for me. Thanks Giuseppe <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]</P> Tue, 25 Jul 2017 11:56:38 GMT mdwasimkhan 2017-07-25T11:56:38Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323617#M96620 <P>Hi All,</P> <P>I am looking for a query which will accept multiple value subsearch output as a input of main serach, See below : </P> <P>index=myIndex UniqueReqId in [ <STRONG><EM>search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId</EM></STRONG> ]</P> <P>This sub search "<STRONG><EM>search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId</EM></STRONG>" will return multiple value like below : </P> <P>UniqueReqId Total user<BR /> 002cc2c7-b1e4-49de-bbd3-caa6c2e741e3 1<BR /> 00426627-98cf-4dd5-97b6-af4cde045286 1<BR /> 00567c49-5638-4a0c-a803-04d0b3662aac 1<BR /> 006ef351-33b8-40ed-b320-28473ea1f481 1<BR /> 00caf75c-deed-4581-ab5a-04929b1a943d 1<BR /> 00ff69ef-d57c-43ad-9b64-38cf39b94f6f 1<BR /> 01395957-648b-4e9a-ac76-7fa68f833fce 1<BR /> 01e82329-3d58-4d11-bdca-88100a2dc85c 1<BR /> 02084578-869a-4ce5-bc20-b86c3fea34d2 1<BR /> 021272cb-c043-483f-8512-244210471c63 1<BR /> 02191c34-b485-4a6d-9d77-53f0a8e7875c 1<BR /> 0228ff59-27f8-47e1-a38f-88acdb94fb22 1<BR /> 028177b6-f2f3-4c53-948e-558d51287d43 1<BR /> 02be90c8-5737-4f89-a204-2a3ea5f79047 1<BR /> 02df9ecb-29bf-4aad-b479-26fde9b6ca94 1<BR /> 02e2ef7f-ea55-4311-b724-c06fe5ab416d 1<BR /> 02e7bacd-4579-44c6-b4c2-be0a4fbf4566 1<BR /> 02eb4faa-39c1-431d-9590-a1fabc7eecd8 1<BR /> 031229db-d4ef-4783-b649-9a1e738d495a 1<BR /> 03216368-6d8e-42e9-8fb1-e2ace7794f4c 1</P> <P>Now whatever the value we are getting in column UniqueReqId, we need to use each value one by one to the main query in UniqueReqId=<STRONG><EM>EachValue</EM></STRONG>.</P> <P>Like Sample example : </P> <P>index=myIndex UniqueReqId IN [002cc2c7-b1e4-49de-bbd3-caa6c2e741e3,00426627-98cf-4dd5-97b6-af4cde045286,00426627-98cf-4dd5-97b6-af4cde0452dsd,etc]</P> <P>I searched a lot but did not get the solution for my requirement however got the solution for single value subsearch output as input for main search.</P> <P>Thanks,<BR /> Wasim</P> Mon, 24 Jul 2017 10:30:49 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323617#M96620 mdwasimkhan 2017-07-24T10:30:49Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323618#M96621 <P>Hi mdwasimkhan,<BR /> If I correctly understood, try something like this</P> <PRE><CODE>index=myIndex MyLogger [ search index=myIndex UniqueReqId | eval UniqueReqId=upper(UniqueReqId) | dedup UniqueReqId | fields UniqueReqId ] | stats count as "Total user" by UniqueReqId </CODE></PRE> <P>In this way you have the event count for each user.<BR /> beware that UniqueReqId field must have the same name in both the searches.</P> <P>Bye.<BR /> Giuseppe</P> Mon, 24 Jul 2017 12:38:04 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323618#M96621 gcusello 2017-07-24T12:38:04Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323619#M96622 <P>Like this:</P> <PRE><CODE>index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ] </CODE></PRE> Mon, 24 Jul 2017 22:00:17 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323619#M96622 woodcock 2017-07-24T22:00:17Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323620#M96623 <P>Actually I have 2 below logger, In that common field is UniqueReqId only.</P> <P>LOGGER([UniqueReqId]+[MyLogger])<BR /> LOGGER([UniqueReqId]+[userName]+[Action])</P> <P>So my requirement is i need to find out the UniqueReqId which contains MyLogger.[ This i want to search in sub-search block.]</P> <P>once i will get the <BR /> all possible UniqueReqId in sub-search then We need to find out the userName who is using action=myAction and UniqueReqId=[Multiple UniqueReqId from subsearch].<BR /> So fetch the userName from all possible UniqueReqId got from subsearch where action=myAction.</P> <P>We have multiple actions, so action=MyAction and UniqueReqId=(02191c34-b485,0228ff59,02be90c8,02e2ef7f etc)</P> <P>MyLogger is not require here, because it does not apear in other logger.</P> <P>Below command is working fine for me. Thanks Giuseppe <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]</P> Tue, 25 Jul 2017 11:56:38 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323620#M96623 mdwasimkhan 2017-07-25T11:56:38Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323621#M96624 <P>Yes, This is what i was looking for.</P> <P>Thanks</P> Tue, 25 Jul 2017 12:13:26 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323621#M96624 mdwasimkhan 2017-07-25T12:13:26Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323622#M96625 <P>I downvoted this post because below is the expected query : </P> <P>index=myindex [ search index=myindex mylogger | dedup uniquereqid | fields uniquereqid ]</P> <P>thanks</P> Tue, 25 Jul 2017 12:31:06 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/323622#M96625 mdwasimkhan 2017-07-25T12:31:06Z