Solved: Is there any way to use all returned values under ...

cxm0u4e · ‎07-15-2022

Let's say I have a multivalue fieldA and a fieldB. I know you can do something like "| where field=value" in a search or just have it in the first part of the search arguments, but is it possible to do something for where I use all returned values part of fieldA as the search for fieldB?

bowesmana · ‎07-17-2022

Are you looking for a subsearch so that your main search will look for fieldB="any of field A" values?

index=bla... [ 
  search index=find_values_of_fieldA 
  | stats values(fieldA) as fieldB
  | format ]

View solution in original post

bowesmana · ‎07-17-2022

Are you looking for a subsearch so that your main search will look for fieldB="any of field A" values?

index=bla... [ 
  search index=find_values_of_fieldA 
  | stats values(fieldA) as fieldB
  | format ]

marysan · ‎07-17-2022

Is there any way to use all returned values under a certain field in a search?

fields

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk