Subsearch fields "query" "search" - How do I know which to use?

Lowell — Fri, 01 Oct 2010 22:03:15 GMT

Can anyone explain exactly the difference between the special sub-search fields "search" and "query"?

Both of these fields are mentioned in the docs, but I don't see anything listed about how they differ. Any examples would be welcomed.

Re: Subsearch fields "query" "search" - How do I know which to use?

ftk — Fri, 01 Oct 2010 22:38:02 GMT

Using "search"

It appears when you just use "search" then whatever first data is in the search field is used as the actual search term. Example:

index=blah [search  index=blah host=blahadmin | rename EventCode as search]

will result in a search like such:

litsearch index=blah 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Notice the "538" which is the first result returned in the EventCode field in the subsearch. You can also use "search" to modify the actual search string that gets passed to the outer search.

For Example:

index=blah [search  index=blah host=blahadmin| eval search="hello there " + EventCode]

Will result in:

litsearch index=blah hello there 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Using "query"

"Query" will behave similar to format, but instead of putting out (field1=foo) OR (field1=bar) will just put out the values (foo) OR (bar).

Example:

index=blah [search  index=blah host=blahadmin | rename EventCode as query | fields query]

will result in a search like this:

litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 19 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 2000 ) OR ( 2000 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Of course you can dedup EventCode to come up with

litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 10002 ) OR ( 19 ) OR ( 2000 ) OR ( 560 ) OR ( 576 ) OR ( 552 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Normal syntax

And finally the using the regular syntax with the implied format at the end of the subsearch:

index=blah [search  index=blah host=blahadmin| fields EventCode]

Results:

litsearch index=blah ( ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="10002" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Again a dedup should be used here.

Conclusion

There are definitely many use cases for each of these methods. "

Search" can come in real handy when you need to append some static data or do some evals on the data in your subsearch and then pass it to the outer search. You could build some complex logic here.
"Query" comes in handy when you are simply looking for the values in the fields returned from the subsearch, but not in these exact fields. And regular syntax comes in handy when you are looking for the returned values in the returned fields.-
On top of all this you can use the format command to apply all kinds of fun formatting to your subsearch results. :)-

Note: After running a search you can click the Actions menu and select "Inspect Search", scroll down to the remoteSearch field, and you can see what the actual query that ended up being built by your subsearch was.

Re: Subsearch fields "query" "search" - How do I know which to use?

martinaire — Wed, 12 Jun 2013 21:44:00 GMT

Thanks! The Query field has helped a lot for subsearches!

Re: Subsearch fields "query" "search" - How do I know which to use?

mikaelbje — Mon, 18 Aug 2014 13:56:30 GMT

The tip about the query field was very handy. Thanks!

Re: Subsearch fields "query" "search" - How do I know which to use?

woodcock — Mon, 06 Jun 2016 16:40:01 GMT

You can pipe your subsearch clause to the format command to see what will actually returned if you were to use the search to the left as a subsearch. When you use search you get (fieldName=value) combinations coming back but when you use query you get just (value).

Re: Subsearch fields "query" "search" - How do I know which to use?

walterk82 — Mon, 18 Dec 2017 21:58:30 GMT

Amen to query!

topic Re: Subsearch fields "query" "search" - How do I know which to use? in Splunk Search

Subsearch fields "query" "search" - How do I know which to use?

Re: Subsearch fields "query" "search" - How do I know which to use?

Using "search"

Using "query"

Normal syntax

Conclusion

Re: Subsearch fields "query" "search" - How do I know which to use?

Re: Subsearch fields "query" "search" - How do I know which to use?

Re: Subsearch fields "query" "search" - How do I know which to use?

Re: Subsearch fields "query" "search" - How do I know which to use?