Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to replace a subsearch ?

xarquin
New Member
‎12-13-2011 09:45 AM

Hi,
I am trying to count the number of users who receive a mail and do a particular action later sort by the date of the email sent. It is more precisely to mesure the impact of an ad-campaign.

I am currently using a subsearch which give me good results :

name=install_X_success AND [search type=ask_to_install_ad | table user_id]

the subsearch gives me all user_id who received emails, and I look for those who match with the event called install_X_success.
This give me good results for a short period of two days but I want to extend it to period of several months...
The limite is double : the limite of the subsearch in number and amount of time it takes..
And I cannot sort my result by the date of the sent mail.

How can I do to deal with this request ?

Tags (2)
0 Karma
Reply

xarquin
New Member
‎12-14-2011 01:02 AM

Hi, thanks for the quick answer,

I cannot perform this search because the event which include name=install_X_success do not include a type. Only a second event called name=email_sent include different types with one of them is type=ask_to_download.

Well, my real purpose is to sort by the date of email sent, so the whole search is this one and the subsearch seemed to me a good choice ->

type=ask_to_download_ad AND [search name=install_X_success AND user_id | table user_id ] | bucket _time span=1d | stats count by _time

with its limit.....

If you have a second answer it could resolve a week issue 🙂 !

Thanks

0 Karma
Reply

Drainy
Champion
‎12-13-2011 01:27 PM

why subsearch at all?

Why not just do a search as such;

name=install_X_success type=ask_to_install_ad | table user_id

the AND is implicit in both being defined in the search string.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...