Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help on subsearches understanding

jip31
Motivator
‎09-08-2021 09:36 AM

Hello

I have read the Splunk documentation regarding the subsearches

https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Aboutsubsearches 

There is 2 things I don't understand

1) Except if I am mistaken but the subsearch below

 

sourcetype=syslog [search sourcetype=syslog earliest=-1h | top limit=1 host | fields + host]

 

provides the same result that if I dont use the subsearch

 

sourcetype=syslog earliest=-1h | top limit=1 host | fields + host

 

but the main difference is that if I use a subsearch I will just collect directly the good event while if I use the standard search, I am going to collect all the events with earliest = -1h and after I am going to display the related host with top limit=1

Is it correct?

2) The documentation says that the second reason to use a subsearh is to "Run a separate search and add the output to the first search using the append command"

It means that we only can use the append command after brackets or is it also possible to use join, appendcols or appendpipe comand because I have already seen this!

If it's possible what are the difference when we use append in a subsearch compared to join, appendcols or appendpipe?

Thanks in advance

Tags (1)
0 Karma
Reply

jip31
Motivator
‎09-09-2021 01:30 AM

 is anybody can help please??

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 10:31 AM

Well, the first example is really a bit pointless because you're only losing one search (you're running two searches instead of one) and don't get any performance advantage or flexibility. Subsearch makes sense if you want to dynamicaly get search criteria from - for example - event data. For example:

sourcetype=sshd_logins [ search index=httpd_access_log | stats values(src_ip) as host | table host ]

Might be a bit faul ty because I'm writing it while walking my dog 😉 but you should get the idea - you get data from some events, manipulate them and generate conditions for searching on a completely different set of data.

Append simply "attaches" results of one search at the end of another search. No magic, no logic. Just glues another set of events after the results from the base search.

0 Karma
Reply

jip31
Motivator
‎09-09-2021 01:29 AM

Thanks but it doesnt help as exepected

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...