How do I take the results of one query and use it in another. I want to take the results of trackedsessions and use it in the tile query. (i.e. tile/trackedsessions)
tracked sessions:
....search
| eval View=case(like(publishId,"%U"),"unsubscribed",like(publishId,"%S"),"subscribed")
| transaction startswith="Enter" endswith="Timeout" or "Exit" by deviceID View
| table View deviceID eventcount
| stats count(deviceID) as count by View
tile:
...search
| stats count(tile) as tile, count as trackedsessions
| eval percentage=round((tile/trackedsessions*100),2)
Hi dwong2,
there are multiple options for this problem, but it is hard to provide the one solution that works best for you without more details.
So, lets start with using a sub search: Use the search that returns the least results in the sub search, this is because sub searches have some limits that can bight you http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_con... .
A simple example would be :
index=2 [ search index=1 | fields SomeFieldYouWant | format ]
That will search index=2
for a single result found in index=1
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
The next level is to use return
with a sub search:
index=2 [ search index=1 | fields SomeFieldYouWant | return ]
That will search index=2
for a list of OR
results found in index=1
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Return
The much better option is to ignore all kinds of sub searches, joins, appends, transactions at all and just use stats
; Read more about the stats approach here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or here http://wiki.splunk.com/Virtual_.conf the March 2016 session of @sideview
Hope this helps ...
cheers, MuS