You must have a command after the pipe and before the subsearch. | search [search index=* | stats count by user [search index=* | stats count by component If a search has a set of nested subsearches, the inner most subsearch is run first, followed by the next inner subsearch, working out to the outermost subsearch and then the primary search.įor example, you have the following search. You can use more than one subsearch in a search. Certain commands, such as append and join can accept a subsearch as an argument. For example, you cannot use a subsearch with " sourcetype=top | multikv", because the multikv command does not expect a subsearch as an argument.
The time range does not apply to the base search or any other subsearch.įor example, if the Time Range Picker is set to Last 7 days and a subsearch contains then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search. Likewise, a time range specified directly in a subsearch applies only to that subsearch. However, time ranges specified directly in the base search do not apply to subsearches. Time ranges selected from the Time Range Picker apply to the base search and to subsearches. The main search returns the events for the host. The result of the subsearch is then provided as a criteria for the main search. The subsearch in this example identifies the most active host in the last hour. The subsearch is in square brackets and is run first. You can combine these two searches into one search that includes a subsearch. You must run the first search to identify the piece of information that you need, and then run the second search with that piece of information. The drawback to running two searches is that you cannot set up reports and dashboard panels to run automatically. To return all of the events from the host crashy, you need to run a second search. Assume that the result is the host named crashy. Sourcetype=syslog earliest=-1h | top limit=1 host | fields host The following search identifies the most active host in the last hour. You could run two searches to obtain the list of events. The most active host in the last hour.You need to identify the most active host before you can return the events from that host. The host that was the most active might be different from hour to hour.
The single piece of information might change every time you run the subsearch.įor example, you want to return all of the events from the host that was the most active in the last hour. You use a subsearch because the single piece of information that you are looking for is dynamic. How subsearches workĪ subsearch looks for a single piece of information that is then added as a criteria, or argument, to the primary search. Keep this in mind if you include subsearches in searches that are run frequently and you are concerned about search concurrency issues or excess load on your search scheduler. Then it runs the search that contains it as another search job.
#Splunk subsearch timeout software
When a search contains a subsearch, the Splunk software processes the subsearch first as a distinct search job. One exception is the foreach command, which accepts a subsearch that does not begin with a generating command, such as eval. For a list of generating commands, see Command types in the Search Reference. The first command in a subsearch must be a generating command, such as search, eventcount, inputlookup, and tstats. The subsearch portion of the search is enclosed in square brackets. Sourcetype=access_* status=200 action=purchase | stats count, dc(productId), values(productId) by clientip Subsearches must be enclosed in square brackets in the primary search. When a search contains a subsearch, the subsearch typically runs first. A subsearch is a search within a primary, or outer, search.
0 kommentar(er)
