Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How would I use multiple values from a subsearch as input to the main search?

digital_alchemy
Path Finder
‎11-12-2015 03:48 PM

I have two sourcetypes "clients" and "potential_clients" and each sourcetype contains address information. I want to focus marketing in areas where I have the most existing clients, so I would like to run a sub-=search against the "clients" sourcetype to identify the top 20 zip codes of of the existing clients, then use those zip codes as input to search and identify the the addresses in the "potential_clients" sourcetype matching those zip codes.

This is what I've got so far, but it's not working like I thought it would. The zip code for both source types is "Property Zip"

sourcetype="potential_clients" [search sourcetype=*clients* | top limit=20 "Property Zip" | fields + "Property Zip" | rename "Property Zip" as search ]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

digital_alchemy
Path Finder
‎11-12-2015 05:11 PM

Ok I figured it out.... the format command is what I needed.

This search does exactly what I need.

sourcetype=potential_clients [search sourcetype=clients | top "Property Zip" limit=25 | table "Property Zip" | format]

View solution in original post

Reply
Solved! Jump to solution
Solution

digital_alchemy
Path Finder
‎11-12-2015 05:11 PM

Ok I figured it out.... the format command is what I needed.

This search does exactly what I need.

sourcetype=potential_clients [search sourcetype=clients | top "Property Zip" limit=25 | table "Property Zip" | format]
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-12-2015 04:20 PM

Not sure you need a subsearch. This may give you what you're looking for

(sourcetype="potential_clients" OR sourcetype="clients") | top limit=20 "Property Zip" by sourcetype

0 Karma
Reply
Solved! Jump to solution

digital_alchemy
Path Finder
‎11-12-2015 04:55 PM

This will not work because say for example I had 1000 addresses for the zip code 11111 in the potential clients sourcetype and no actual clients in that zip code but had 20 clients in zip code 22222 but only an additional 300 addresses for potential clients in zip code 22222.

In this case the search would place the zip where i have no clients higher in the list.

I really do need to identify the top zips for existing clients and then use that as input to search the potential clients sourcetype.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-12-2015 05:19 PM

Try this sourcetype="potential_clients" [search sourcetype="clients" | top limit=20 "Property Zip" | return "Property Zip"]

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...