https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234125#M69568 <P>This will not work because say for example I had 1000 addresses for the zip code 11111 in the potential clients sourcetype and no actual clients in that zip code but had 20 clients in zip code 22222 but only an additional 300 addresses for potential clients in zip code 22222.</P> <P>In this case the search would place the zip where i have no clients higher in the list.</P> <P>I really do need to identify the top zips for existing clients and then use that as input to search the potential clients sourcetype.</P> Fri, 13 Nov 2015 00:55:55 GMT digital_alchemy 2015-11-13T00:55:55Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234123#M69566 <P>I have two sourcetypes "clients" and "potential_clients" and each sourcetype contains address information. I want to focus marketing in areas where I have the most existing clients, so I would like to run a sub-=search against the "clients" sourcetype to identify the top 20 zip codes of of the existing clients, then use those zip codes as input to search and identify the the addresses in the "potential_clients" sourcetype matching those zip codes.</P> <P>This is what I've got so far, but it's not working like I thought it would. The zip code for both source types is "Property Zip"</P> <PRE><CODE>sourcetype="potential_clients" [search sourcetype=*clients* | top limit=20 "Property Zip" | fields + "Property Zip" | rename "Property Zip" as search ] </CODE></PRE> Tue, 29 Sep 2020 07:54:33 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234123#M69566 digital_alchemy 2020-09-29T07:54:33Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234124#M69567 <P>Not sure you need a subsearch. This may give you what you're looking for</P> <P>(sourcetype="potential_clients" OR sourcetype="clients") | top limit=20 "Property Zip" by sourcetype</P> Fri, 13 Nov 2015 00:20:43 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234124#M69567 sundareshr 2015-11-13T00:20:43Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234125#M69568 <P>This will not work because say for example I had 1000 addresses for the zip code 11111 in the potential clients sourcetype and no actual clients in that zip code but had 20 clients in zip code 22222 but only an additional 300 addresses for potential clients in zip code 22222.</P> <P>In this case the search would place the zip where i have no clients higher in the list.</P> <P>I really do need to identify the top zips for existing clients and then use that as input to search the potential clients sourcetype.</P> Fri, 13 Nov 2015 00:55:55 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234125#M69568 digital_alchemy 2015-11-13T00:55:55Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234126#M69569 <P>Ok I figured it out.... the format command is what I needed.</P> <P>This search does exactly what I need.</P> <PRE><CODE>sourcetype=potential_clients [search sourcetype=clients | top "Property Zip" limit=25 | table "Property Zip" | format] </CODE></PRE> Fri, 13 Nov 2015 01:11:46 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234126#M69569 digital_alchemy 2015-11-13T01:11:46Z https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234127#M69570 <P>Try this <CODE>sourcetype="potential_clients" [search sourcetype="clients" | top limit=20 "Property Zip" | return "Property Zip"]</CODE> </P> Fri, 13 Nov 2015 01:19:22 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-use-multiple-values-from-a-subsearch-as-input-to-the/m-p/234127#M69570 sundareshr 2015-11-13T01:19:22Z