- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count/List results from subquery that exist in mai...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count/List results from subquery that exist in main query
index="main" "recommended product" [ search index="main" "purchased product" | fields itemid | rename itemid as search | format ]
So Subquery returns a list of itemid like so... ("abc" OR "xyz" OR "mno")
Main query will return 5 events, consisting of "abc"(found in 2 events) and "xyz"(found in 3 events). "mno" does not exist in main query data set.
Is there a way I can get a list of subquery keywords that were found in main query?
EDIT: Clarifying the ask with an example -
My main search gives me a list of "recommended products"
My subsearch gives me a list of "purchased products"
I would like to find out how many products were purchased because they were recommended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="main" AND ("recommended product" OR "purchased product")
| fields _raw itemid
| mvexpand itemid
| eventstats count(eval(searchmatch("recommended product"))) as itemid_count by itemid
| eventstats values(itemid) as itemid_list
Hi, @yashodhan01
Since there is no sample log, I can't write an expression to aggregate.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are overcomplicating it; try simply this:
index="main" AND ("recommended product" OR "purchased product")
| stats count(eval(searchmatch("recommended product"))) AS recommended count(eval(searchmatch("purchased product"))) AS purchased count BY itemid and possibly other fields like userid here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This seems like a simple task but I am working with constraints here. The ItemID field is logged twice in the "purchased products" events and the value of first occurrence of ItemID is "unknown" in this system. Splunk stop trying to match after this first occurrence of ItemID in the event. I can't go back and change the logs or configure Splunk to use multivalued fields. Due to this, I cannot count BY ItemID in the way you proposed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="main" "subsearch keywords" OR "mainsearch keywords"
| stats count by myField
Hi, @yashodhan01
you don't need sub search.
what do you expect your output?
please provide example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This won't work for me because I need to extract some results from the subsearch and feed them to the main search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a place to start (I've gotta run for the day!)
index="main" "main keywords" | join type=inner left=L right=R where L.YourFieldontheLeft=R.YourFieldontheRight [ search index="main" "subsearch keywords" | fields myField | rename myField as search | format ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NO JOINS EVER
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
