Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help on subsearches understanding

jip31
Motivator
‎09-08-2021 09:36 AM

Hello

I have read the Splunk documentation regarding the subsearches

https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Aboutsubsearches 

There is 2 things I don't understand

1) Except if I am mistaken but the subsearch below

 

sourcetype=syslog [search sourcetype=syslog earliest=-1h | top limit=1 host | fields + host]

 

provides the same result that if I dont use the subsearch

 

sourcetype=syslog earliest=-1h | top limit=1 host | fields + host

 

but the main difference is that if I use a subsearch I will just collect directly the good event while if I use the standard search, I am going to collect all the events with earliest = -1h and after I am going to display the related host with top limit=1

Is it correct?

2) The documentation says that the second reason to use a subsearh is to "Run a separate search and add the output to the first search using the append command"

It means that we only can use the append command after brackets or is it also possible to use join, appendcols or appendpipe comand because I have already seen this!

If it's possible what are the difference when we use append in a subsearch compared to join, appendcols or appendpipe?

Thanks in advance

Tags (1)
0 Karma
Reply

jip31
Motivator
‎09-09-2021 01:30 AM

 is anybody can help please??

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 10:31 AM

Well, the first example is really a bit pointless because you're only losing one search (you're running two searches instead of one) and don't get any performance advantage or flexibility. Subsearch makes sense if you want to dynamicaly get search criteria from - for example - event data. For example:

sourcetype=sshd_logins [ search index=httpd_access_log | stats values(src_ip) as host | table host ]

Might be a bit faul ty because I'm writing it while walking my dog 😉 but you should get the idea - you get data from some events, manipulate them and generate conditions for searching on a completely different set of data.

Append simply "attaches" results of one search at the end of another search. No magic, no logic. Just glues another set of events after the results from the base search.

0 Karma
Reply

jip31
Motivator
‎09-09-2021 01:29 AM

Thanks but it doesnt help as exepected

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...