Splunk Search

Using the results of one search to perform another

vjzone
Path Finder

I want to list ALL customers who bought a watch and then use their userId to list out all of their purchases(not limited to watches).
I'm trying to solve this using subsearches. But, its not helping. Can anyone suggest a solution?

source="foobar"
[search xxx OR yyy OR zzz source="foobar" mdn
| rex field=_raw "(?[0-9]+)" max_match=0
| dedup MDN
| rename MDN as search]
| rex field=_raw "(?[0-9]+)" max_match=0
| dedup orderid
| stats list(orderId) by MDN

Tags (1)
0 Karma
1 Solution

renjith_nair
Legend

Hi @vjzone,

Try something similar after changing the logic according to your events,

index="your index" source=foobar purchase=* [index="your index" source=foobar purchase=watch |table userid|dedup userid]

Below reference might give you some idea ,

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Aboutsubsearches#Example_2:_Using_a_subsea...

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

Hi @vjzone,

Try something similar after changing the logic according to your events,

index="your index" source=foobar purchase=* [index="your index" source=foobar purchase=watch |table userid|dedup userid]

Below reference might give you some idea ,

https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Aboutsubsearches#Example_2:_Using_a_subsea...

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renjith_nair
Legend

Hi @vjzone, lets know if you still have questions

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...