Re: How to replace a subsearch ?

xarquin · ‎12-13-2011

Hi,
I am trying to count the number of users who receive a mail and do a particular action later sort by the date of the email sent. It is more precisely to mesure the impact of an ad-campaign.

I am currently using a subsearch which give me good results :

name=install_X_success AND [search type=ask_to_install_ad | table user_id]

the subsearch gives me all user_id who received emails, and I look for those who match with the event called install_X_success.
This give me good results for a short period of two days but I want to extend it to period of several months...
The limite is double : the limite of the subsearch in number and amount of time it takes..
And I cannot sort my result by the date of the sent mail.

How can I do to deal with this request ?

xarquin · ‎12-14-2011

Hi, thanks for the quick answer,

I cannot perform this search because the event which include name=install_X_success do not include a type. Only a second event called name=email_sent include different types with one of them is type=ask_to_download.

Well, my real purpose is to sort by the date of email sent, so the whole search is this one and the subsearch seemed to me a good choice ->

type=ask_to_download_ad AND [search name=install_X_success AND user_id | table user_id ] | bucket _time span=1d | stats count by _time

with its limit.....

If you have a second answer it could resolve a week issue 🙂 !

Thanks

Drainy · ‎12-13-2011

why subsearch at all?

Why not just do a search as such;

name=install_X_success type=ask_to_install_ad | table user_id

the AND is implicit in both being defined in the search string.

How to replace a subsearch ?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!