I could be doing something wrong, but I can't seem to get subsearches to behave like I expect. I can get something like the documentation (HowSubsearchesWork) example to work, but anything more complicated seems to fail. This query: index="main" *CONNECTION | top host limit=1 | fields host shows the host with the most CONNECTION log entries. As expected, this query: * [search index="main" *CONNECTION | top host limit=1 | fields host] shows all log messages from the host that has the most connection logs. When I try using a different fields, however, the behavior changes. For example, this query shows the most frequent UUIDs (a custom field): index="main" *CONNECTION | top UUID limit=1 | fields UUID The following all return "No matching events found.": * [search index="main" *CONNECTION | top UUID limit=1 | fields UUID] * [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as query] * [search index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search] Pasting the output from either of index="main" *CONNECTION | top UUID limit=1 | fields UUID | format index="main" *CONNECTION | top UUID limit=1 | fields UUID | rename UUID as search | format into a new splunk search produces the expected results. Could this be a syntax or configuration issue, or do I not understand how subsearches work? We're on 4.1.3; could this be related to SPL-32669 ? thanks in advance, rick ... View more