Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help on subsearches understanding

jip31
Motivator
‎09-08-2021 09:36 AM

Hello

I have read the Splunk documentation regarding the subsearches

https://docs.splunk.com/Documentation/Splunk/8.2.2/Search/Aboutsubsearches 

There is 2 things I don't understand

1) Except if I am mistaken but the subsearch below

 

sourcetype=syslog [search sourcetype=syslog earliest=-1h | top limit=1 host | fields + host]

 

provides the same result that if I dont use the subsearch

 

sourcetype=syslog earliest=-1h | top limit=1 host | fields + host

 

but the main difference is that if I use a subsearch I will just collect directly the good event while if I use the standard search, I am going to collect all the events with earliest = -1h and after I am going to display the related host with top limit=1

Is it correct?

2) The documentation says that the second reason to use a subsearh is to "Run a separate search and add the output to the first search using the append command"

It means that we only can use the append command after brackets or is it also possible to use join, appendcols or appendpipe comand because I have already seen this!

If it's possible what are the difference when we use append in a subsearch compared to join, appendcols or appendpipe?

Thanks in advance

Tags (1)
0 Karma
Reply

jip31
Motivator
‎09-09-2021 01:30 AM

 is anybody can help please??

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-08-2021 10:31 AM

Well, the first example is really a bit pointless because you're only losing one search (you're running two searches instead of one) and don't get any performance advantage or flexibility. Subsearch makes sense if you want to dynamicaly get search criteria from - for example - event data. For example:

sourcetype=sshd_logins [ search index=httpd_access_log | stats values(src_ip) as host | table host ]

Might be a bit faul ty because I'm writing it while walking my dog 😉 but you should get the idea - you get data from some events, manipulate them and generate conditions for searching on a completely different set of data.

Append simply "attaches" results of one search at the end of another search. No magic, no logic. Just glues another set of events after the results from the base search.

0 Karma
Reply

jip31
Motivator
‎09-09-2021 01:29 AM

Thanks but it doesnt help as exepected

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...