Solved: Re: Pass fields from inner search to outer search

patelaa · ‎07-29-2015

Please disregard...mods can delete.

woodcock · ‎07-29-2015

Try this (avoid using subsearch😞

(index=indexA sourcetype=srcTypeA Network_Address="1.1.1.1") OR (index=indexB "stringExample") | stats dc(index) AS indexCount values(*) AS * by user | where indexCount=1 AND index="indexA" | fields user src time

Keep in mind that by discluding ALL users from index=indexB you are also discluding all events ( fields ) from index=indexB so much of your question is nonsensical!

View solution in original post

the_wolverine · ‎07-29-2015

No need to pipe to subsearch:

index=A sourcetype=srcTypeA Network_Address="1.1.1.1" NOT [search index=B "stringExample" | fields user] | stats values(src) AS srvIP values(time) AS time by user

woodcock · ‎07-29-2015

Try this (avoid using subsearch😞

(index=indexA sourcetype=srcTypeA Network_Address="1.1.1.1") OR (index=indexB "stringExample") | stats dc(index) AS indexCount values(*) AS * by user | where indexCount=1 AND index="indexA" | fields user src time

Keep in mind that by discluding ALL users from index=indexB you are also discluding all events ( fields ) from index=indexB so much of your question is nonsensical!

Pass fields from inner search to outer search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life