https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116749#M31008 <P>You'll want to use a subsearch (see <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch">http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch</A> ).</P> <PRE><CODE>sourcetype=transaction_detail [search sourcetype="transaction_status" status="completed" | fields transaction_id] | stats count by vendor_id </CODE></PRE> Sun, 27 Oct 2013 07:54:52 GMT Ayn 2013-10-27T07:54:52Z https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116748#M31007 <P>Hi all,</P> <P>I have 2 dump files and put separate them into 2 sourcetypes, sourcetype=transaction_status and sourcetype=transaction_detail. Here are some data from both sourcetype :</P> <P>sourcetype=transaction_status :</P> <P>transaction_id: 1004 status: completed<BR /><BR /> transaction_id: 1005 status: completed<BR /><BR /> transaction_id: 1006 status: pending_payment<BR /><BR /> transaction_id: 1007 status: pending_payment<BR /><BR /> transaction_id: 1008 status: completed<BR /><BR /> transaction_id: 1009 status: completed<BR /><BR /> transaction_id: 1010 status: pending_payment<BR /><BR /> transaction_id: 1011 status: completed </P> <P>sourcetype=transaction_detail :</P> <P>transaction_id: 1004 vendor_id: 03 tag: ""<BR /><BR /> transaction_id: 1005 vendor_id: 07 tag: ""<BR /><BR /> transaction_id: 1006 vendor_id: 03 tag: ""<BR /><BR /> transaction_id: 1007 vendor_id: 03 tag: ""<BR /><BR /> transaction_id: 1008 vendor_id: 03 tag: ""<BR /><BR /> transaction_id: 1009 vendor_id: 01 tag: ""<BR /><BR /> transaction_id: 1010 vendor_id: 07 tag: ""<BR /><BR /> transaction_id: 1011 vendor_id: 03 tag: "" </P> <P>I want to have a graph that shows the top 10 of vendor that have completed status. I can search which transaction_id that have status completed from sourcetype transaction_status (that's easy), but how to search which vendor related to these transaction_id (using data from sourcetype transaction_detail) ?</P> <P>So the output would be :</P> <P>vendor_id count<BR /><BR /> 3 3<BR /><BR /> 1 1<BR /><BR /> 7 1 </P> <P>Thanks,<BR /><BR /> Frank</P> Sun, 27 Oct 2013 06:55:14 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116748#M31007 frankagustinus 2013-10-27T06:55:14Z https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116749#M31008 <P>You'll want to use a subsearch (see <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch">http://docs.splunk.com/Documentation/Splunk/6.0/SearchTutorial/Useasubsearch</A> ).</P> <PRE><CODE>sourcetype=transaction_detail [search sourcetype="transaction_status" status="completed" | fields transaction_id] | stats count by vendor_id </CODE></PRE> Sun, 27 Oct 2013 07:54:52 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116749#M31008 Ayn 2013-10-27T07:54:52Z https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116750#M31009 <P>sourcetype=transaction_status status="completed" | stats count by transaction_id | appendcols [search sourcetype="transaction_detail" | stats count by transaction_id vendor_id]| stats sum(count) as count by vendor_id</P> Mon, 28 Sep 2020 15:05:55 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116750#M31009 amarsaroj 2020-09-28T15:05:55Z https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116751#M31010 <P>Hi Ayn, </P> <P>I tried your approach and works perfectly. Thanks .. I didn't realize it is that simple. And with some modification based from amarsaroj approach (using appendcols), we were able to create more complex chart.</P> Wed, 06 Nov 2013 07:22:18 GMT https://community.splunk.com/t5/Splunk-Search/Nested-search/m-p/116751#M31010 frankagustinus 2013-11-06T07:22:18Z