- Splunk - Discussion
- Splunk - Useful Resources
- Splunk - Quick Guide
- Splunk - Stats Command
- Splunk - Top Command
- Splunk - Sort Command
- Splunk - Monitoring Files
- Splunk - Custom Chart
- Splunk - Removing Data
- Splunk - Apps
- Splunk - Tags
- Splunk - Calculated Fields
- Splunk - Managing Indexes
- Splunk - Sparklines
- Splunk - Overlay chart
- Splunk - Basic Chart
- Splunk - Event Types
- Splunk - Search Macros
- Splunk - Subseraching
- Splunk - Knowledge Management
- Splunk - Schedules and Alerts
- Splunk - Lookups
- Splunk - Pivot & Datasets
- Splunk - Dashboards
- Splunk - Reports
- Splunk - Transforming commands
- Splunk - Search Optimization
- Splunk - Search Language
- Splunk - Sharing and Exporting
- Splunk - Time Range Search
- Splunk - Field Searching
- Splunk - Basic Searching
- Splunk - Source Types
- Splunk - Data Ingestion
- Splunk - Interfaces
- Splunk - Environment
- Splunk - Overview
- Splunk - Home
Selected Reading
- Who is Who
- Computer Glossary
- HR Interview Questions
- Effective Resume Writing
- Questions and Answers
- UPSC IAS Exams Notes
Splunk - Subsearching
Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query. It is similar to the concept of subquery in case of SQL language. In Splunk, the primary query should return one result which can be input to the outer or the secondary query.
When a search contains a subsearch, the subsearch is run first. Subsearches must be enclosed in square brackets in the primary search.
Example
We consider the case of finding a file from web log which has maximum byte size. But that may vary every day. Then we want to find only those events where the file size is equal to the maximum size, and is a Sunday.
Create the Subsearch
We first create the subsearch to find the maximum file size. We use the function Stat max with the field named bytes as the argument. This identifies the maximum size of the file for the time frame for which the search query is run.
The below image shows the search and the result of this subsearch −
Adding the Subsearch
Next, we add the subsearch query to the primary or the outer query by putting the subsearch inside square brackets. Also the search clause is added to the subsearch query.
As we see, the result contains only the events where the file size is equal to the max file size found by considering all the events, and the event day is a Sunday.
Advertisements