Hi @momagic , you have to use a subsearch: create a main query containing the data to display, adding as subsearch (putting it between square brackets and adding the search command at the beginnin...
See more...
Hi @momagic , you have to use a subsearch: create a main query containing the data to display, adding as subsearch (putting it between square brackets and adding the search command at the beginning) the search containing the parameters, then you can display the fields you want. You have to put attention to two things: at the end of the subsearch yo have to use a command as table or fields to list only the fields used as filters, the fields from the subsearch must have exactly (case sensitive) the same names of the fields in the main search. For example, if the fields to use to filter events are FieldA and FieldB but ib the subsearch there are also other fields, you should write: index=index1 [ search index=index2 | fields FieldA FieldB ]
| table _time host field1 field2 FieldA FieldB If you haven't much experience on Splunk searches and you didn't followed a course (there are many free courses in Splunk), you could follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/SearchTutorial/WelcometotheSearchTutorial) that explain how to use Splunk for searching, and here you can find a description of how to use subsearches https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/SearchTutorial/Useasubsearch Ciao. Giuseppe Ciao. Giuseppe