The example, described above, of searching for the most active host in the last hour is a an example of this use of a subsearch. Parameterize one search, using the output of another search.Subsearches are mainly used for two purposes: The time range does not apply to the base search or any other subsearch.įor example, if the Time Range Picker is set to Last 7 days and a subsearch contains then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search. Likewise, a time range specified directly in a subsearch applies only to that subsearch. However, time ranges specified directly in the base search do not apply to subsearches. Time ranges selected from the Time Range Picker apply to the base search and to subsearches. The main search returns the events for the host. The result of the subsearch is then provided as a criteria for the main search. The subsearch in this example identifies the most active host in the last hour. The subsearch is in square brackets and is run first. You can combine these two searches into one search that includes a subsearch. You must run the first search to identify the piece of information that you need, and then run the second search with that piece of information. The drawback to running two searches is that you cannot set up reports and dashboard panels to run automatically. To return all of the events from the host crashy, you need to run a second search. Assume that the result is the host named crashy. Sourcetype=syslog earliest=-1h | top limit=1 host | fields host The following search identifies the most active host in the last hour. You could run two searches to obtain the list of events. The most active host in the last hour.You need to identify the most active host before you can return the events from that host. The host that was the most active might be different from hour to hour. The single piece of information might change every time you run the subsearch.įor example, you want to return all of the events from the host that was the most active in the last hour. You use a subsearch because the single piece of information that you are looking for is dynamic. How subsearches workĪ subsearch looks for a single piece of information that is then added as a criteria, or argument, to the primary search. Keep this in mind if you include subsearches in searches that are run frequently and you are concerned about search concurrency issues or excess load on your search scheduler. Then it runs the search that contains it as another search job. When a search contains a subsearch, the Splunk software processes the subsearch first as a distinct search job. One exception is the foreach command, which accepts a subsearch that does not begin with a generating command, such as eval. For a list of generating commands, see Command types in the Search Reference. The first command in a subsearch must be a generating command, such as search, eventcount, inputlookup, and tstats. The subsearch portion of the search is enclosed in square brackets. Sourcetype=access_* status=200 action=purchase | stats count, dc(productId), values(productId) by clientip Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch typically runs first. He holds two patents for his work with Splunk.A subsearch is a search within a primary, or outer, search. He has been responsible for innovating and prototyping a class of hard problems at the Splunk core, including developing the Search Processing Language (SPL), dynamic event and source tagging, automatic field extraction, transaction grouping, event aggregation, and timestamping.
0 Comments
Leave a Reply. |