Passing values from subsearch to Parent Search

ashvinpandey · ‎12-15-2021

I am stuck with a query where I am trying to pass the field value from sub search to parent search:

Query:

index=f5 sourcetype="*f5*" earliest=-1d@d latest=d@d
[| inputlookup user where country="US" | fields UserName | rename user_name ]

Explanation: The field name which is going to match from the subsearch is the user_name, now in the parent search there are two fields for user that is user_name and Account_name and i need both of them in the end result (user_name contains internal users/ Account_name contains external users).
I tried using coalesce to merge both the fields in the parent search but eval pops an error.

Can anyone please help me in solving this problem ?

inventsekar · ‎12-15-2021

Hi @ashvinpandey
i am not sure if i understand your problem correctly... but, still... i think this should be helpful to your problem...

index=f5 sourcetype="*f5*" earliest=-1d@d latest=d@d
[| inputlookup user where country="US" | fields UserName | rename UserName as user_name | return user_name ]

PickleRick · ‎12-15-2021

I'm not exactly sure what you're trying to achieve. What should the subsearch resolve to?

user_name="internal_user" AND Account_name="external-user"

Just do your subsearch to include those two fields. If it's the same value, just add

| eval Account_name=user_name

at the end of your subsearch.

If they are supposed to have different values, you have to look them up of course on their own. Can't tell you how though without knowing the lokup and its structure.

isoutamo · ‎12-15-2021

Hi
Have you already try return? https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Return
r. Ismo

Passing values from subsearch to Parent Search

lookup

subsearch

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life