Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I getting different results with filtering ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ,
I would like to generate a customer analysis.
I must use order and a customer segmentation.
I write a search with one customer:
Search1 :
index=order sourcetype="order" id_customer=1780186
| append [| search index=segmentation id_customer=1780186 | eval capacity=1 | table id_customer, segment , capacity]
| search id_customer=1780186
| table id_customer, segment ,id_market_order
It returns customer order list and segmentation. (225 lines)
If I remove all filter , the new search returns 224 lines (just order list).
Search 2 :
index=order sourcetype="order"
| append [| search index=segmentation | eval capacity=1 | table id_customer, segment , capacity]
| search id_customer=1780186
| table id_customer, segment ,id_market_order
If I add filter, the search 3 returns 225 lines.
Search 3 :
index=order sourcetype="order" id_customer=1780186
| append [| search index=segmentation | eval capacity=1 | table id_customer, segment , capacity]
| search id_customer=1780186
| table id_customer, segment ,id_market_order
Have you an idea?
Thanks you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a default maximum number of events that can be returned from a subsearch. If you look at the search job inspector after running search #2, I think you may find that you have exceeded the maximum and therefore have lost one of your results.
However, this search dos not need a subsearch at all. This will work and be much faster:
id_customer=1780186 (index=order sourcetype="order") OR index=segmentation
| table id_customer, segment, id_market_order
If you want to ensure that the order data precedes the segmentation data in the resulting table, you can do this
id_customer=1780186 (index=order sourcetype="order") OR index=segmentation
| eval sequence=if(index=="order",1,2)
| sort id_customer, sequence, _time
| table id_customer, segment, id_market_order
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a default maximum number of events that can be returned from a subsearch. If you look at the search job inspector after running search #2, I think you may find that you have exceeded the maximum and therefore have lost one of your results.
However, this search dos not need a subsearch at all. This will work and be much faster:
id_customer=1780186 (index=order sourcetype="order") OR index=segmentation
| table id_customer, segment, id_market_order
If you want to ensure that the order data precedes the segmentation data in the resulting table, you can do this
id_customer=1780186 (index=order sourcetype="order") OR index=segmentation
| eval sequence=if(index=="order",1,2)
| sort id_customer, sequence, _time
| table id_customer, segment, id_market_order
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
