Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How would I use multiple values from a subsearch as input to the main search?

digital_alchemy
Path Finder
‎11-12-2015 03:48 PM

I have two sourcetypes "clients" and "potential_clients" and each sourcetype contains address information. I want to focus marketing in areas where I have the most existing clients, so I would like to run a sub-=search against the "clients" sourcetype to identify the top 20 zip codes of of the existing clients, then use those zip codes as input to search and identify the the addresses in the "potential_clients" sourcetype matching those zip codes.

This is what I've got so far, but it's not working like I thought it would. The zip code for both source types is "Property Zip"

sourcetype="potential_clients" [search sourcetype=*clients* | top limit=20 "Property Zip" | fields + "Property Zip" | rename "Property Zip" as search ]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

digital_alchemy
Path Finder
‎11-12-2015 05:11 PM

Ok I figured it out.... the format command is what I needed.

This search does exactly what I need.

sourcetype=potential_clients [search sourcetype=clients | top "Property Zip" limit=25 | table "Property Zip" | format]

View solution in original post

Reply
Solved! Jump to solution
Solution

digital_alchemy
Path Finder
‎11-12-2015 05:11 PM

Ok I figured it out.... the format command is what I needed.

This search does exactly what I need.

sourcetype=potential_clients [search sourcetype=clients | top "Property Zip" limit=25 | table "Property Zip" | format]
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-12-2015 04:20 PM

Not sure you need a subsearch. This may give you what you're looking for

(sourcetype="potential_clients" OR sourcetype="clients") | top limit=20 "Property Zip" by sourcetype

0 Karma
Reply
Solved! Jump to solution

digital_alchemy
Path Finder
‎11-12-2015 04:55 PM

This will not work because say for example I had 1000 addresses for the zip code 11111 in the potential clients sourcetype and no actual clients in that zip code but had 20 clients in zip code 22222 but only an additional 300 addresses for potential clients in zip code 22222.

In this case the search would place the zip where i have no clients higher in the list.

I really do need to identify the top zips for existing clients and then use that as input to search the potential clients sourcetype.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎11-12-2015 05:19 PM

Try this sourcetype="potential_clients" [search sourcetype="clients" | top limit=20 "Property Zip" | return "Property Zip"]

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...