Splunk Search

Order of subsearches


Hi !

I would like to ask question regarding to the order of processing of subsearch.

If I write as

index=A [ search hoge ]
| join type=inner fieldA [ search test]

Will the search hoge will be executed first?


Tags (1)


Wearily, I plodded through the Thickets of Antiquity on my quest for Datalicious, the Ruler of the Datatables. Hark! A sound! It comes from behind the hedge of Hoge. A rustling sound, faint, as if a canary, yellow and brilliant, had expelled vapors of methane. I scarce thought I heard it. And then suddenly, upon the scene burst forth: A hare of good size and build. "Good Morrow", said he, whilst I, perplexed, sat gingerly upon the ground. "I've searched long and I've searched low", he started, "to find the answer to my question." Now I, of being convinced I was dreaming, replied "Go On", as a simpleton might say "More Beer" to the inn keep. "I postulate this: A subsearch, being as lowly as searches go, executes prior to a secondary search command. Am I right in my assumption, or have I perplexed the likes of man?" he questioned. I, Sir Alacer of SplunkAdminary (a silly place long lost in the books of time), replied: "Yes, your assumptions are correct". "Wonderful!" he exclaimed, and raced on his way. As he quickly departed I shouted: "If you have more need for answering, please, comment below!"


Honor Sir Alacer! ... and now we sing...

We're Knights of the stats Table
We dance whene'er we're able
We do subsearches and chart scenes
With footwork impeccable ....