Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

How subsearches work

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

How subsearches work

A subsearch is a search with a search pipeline as an argument. Subsearches are contained in square brackets and evaluated first. The result of the subsearch is then used as an argument in the primary or outer search. You can use subsearches to match subsets of your data that you cannot describe directly in a search expression, but which can be generated from a search.

For example, if you're interested in finding all events from the most active host in the last hour, you can't search for a specific host because it might not be the same host every hour. First, you need to identify which host is most active.

sourcetype=syslog earliest=-1h | top limit=1 host | fields + hostSearch

Note that the previous search will only return one host value. Once you have this host, which is the most active host in the last hour, you can search for all events on that host. Let's say it's a server named, "crashy":

sourcetype=syslog host=crashySearch

But, instead of running two searches each time you want this information, you can use a subsearch to give you the hostname:

sourcetype=syslog [search sourcetype=syslog earliest=-1h | top limit=1 host | fields + host]Search

Modify subsearch limits in limits.conf

You can control the subsearch runtime and number of results by setting these limits in the [subsearch] stanza of a limits.conf file. 

[subsearch]

maxout = <integer>
* Maximum number of results to return from a subsearch.
* Defaults to 100.

maxtime = <integer>
* Maximum number of seconds to run a subsearch before finalizing
* Defaults to 60.

ttl = <integer>
* Time to cache a given subsearch's results.
* Defaults to 300.

Use subsearch to correlate data

You can use subsearches to correlate data, including data across different indexes or Splunk servers in a distributed environment.

Change the format of subsearch results

The format command is implicitly applied to your subsearch results, but you can use this command to change your subsearch results into a single linear search string. For more information, see the format search reference. You can change the maximum number of events to use in a subsearch in the [format] stanza of limits.conf. 

[format]

maxresults = <integer> 
* Maximum number of events for a subsearch to use in generating a search.
* Defaults to 100.
Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/User/HowSubsearchesWork"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.