Splunk Search

How to write subquery in splunk

Path Finder


I am drawing a view having one table. My table has two columns host and max(power). I want to add one more column which has latest value of the particular host. My module is :

<module name="HiddenSearch" layoutPanel="panel_row2_col2" group="Power Usage" autoRun="True">
    <param name="search">index="test" sourcetype="power_test"[search index="test" sourcetype="power_test" | chart max(Power) as powerc over host | sort -Date,-Time] | fields powerc | chart max(Power),max(powerc) over host | sort 10 -max(Power)</param>
    <param name="groupLabel">Power Usage</param>
    <module name="ViewstateAdapter">
        <module name="HiddenFieldPicker">
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator">
          <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="SimpleResultsTable">
              <param name="allowTransformedFieldSelect">True</param>


I am trying to write sub-query which will return latest value of a particular host. That's why i am trying to sort by date and time.

But query is giving zero results. Please correct me.

Thanks in advance,


Tags (2)
0 Karma

Splunk Employee
Splunk Employee

I think you may do it all in one search for this use case:

    index="test" sourcetype="power_test" 
| chart max(Power) as max_power first(Power) as recent_power over host 
| sort 10 -max(Power)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...