6

i run a query and get list of custId in form of table. how do i pass this result into another search query inside IN clause.

eg:

search 1: index=* "successful login for"|table custID this gives me table with column custID.

Then i have to run

index=* "mail sent by"|where custID IN (search 1) |table CustID,_time

saurabh choudhary
  • 73
  • 1
  • 1
  • 6
  • Basically what i want is , i have a serach query that give me custId and time when he signed up. another search query give me time for when a user first used a service say, sent a mail. i want to know after how many days of signing up each customer first used that service – saurabh choudhary May 16 '18 at 11:14

2 Answers2

5

Use a subsearch. You'll have to experiment with format options to get the output to be compatible with IN.

index=* "mail sent by"|where custID IN ([search index=* "successful login for"|fields custID | format]) |table CustID,_time

If you can't get the format output right, you may have to use the old method without IN.

index=* "mail sent by"|where [search index=* "successful login for"|fields custID | format] |table CustID,_time

BTW, index=* is not a good practice for Production. Use the real index name for better performance.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • it did not work. basically what i want is , i have a serach query that give me custId and time when he signed up. another search query give me time for when a user first used a service say, sent a mail. i want to know after how many days of signing up each customer first used that service. – saurabh choudhary May 16 '18 at 11:14
4
index=myindex <mainSearchConditions>
custID IN (
   [search index=myindex <subsearchConditions> | table custID | dedup custID 
   | stats values(eval("\"".custID."\"")) as search delim="," | nomv search]
)
drizin
  • 1,737
  • 1
  • 18
  • 44