About subsearch
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
About subsearch
When/why/how to use subsearches. http://jira:8080/browse/SPL-17347
Subsearch syntax
Note: useful. maybe.
A subsearch is a search with a search pipeline as an argument (like a backtick in UNIX). Use subsearches to generate search results and then use those results to narrow an outer (containing) search.
search_command ::= search search_argument
search_argument ::= keyword | field="value" | modifier="value" | subsearch
subsearch ::= search_command "[" [ search ] "]"
The search command is made up of a search statement followed by search arguments.
Example
This example searches for events from the source type "access_combined" that match client IP addresses that occur less than 10 times.
sourcetype="access_combined" [search sourcetype="access_combined" | stats count by client_ip | search count<10 | fields +client_ip]
How this example subsearch works
1. The "inner" subsearch searches for the source type access_combined and counts events by client_ip.
2. Using the stats and seach commands, all events with client_ip values that occur 10 or more times are filtered out.
3. From the remaining events, the fields command causes only the values of the client_ip field to be kept.
4. Then, the results from the subsearch (the remaining client_ip values) are passed as an argument to the "outer" search.
As a whole, the search returns events that come from the access_combined source type that match any of the client_ip keyword values returned from the subsearch.
In this example, the subsearch uses the stats command to perform the statistical operation that gets you the count of client_ip addresses. You can then use the more limited data set to perform the "outer" search.