Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch fields "query" "search" - How do I know which to use?

Lowell
Super Champion
‎10-01-2010 03:03 PM

Can anyone explain exactly the difference between the special sub-search fields "search" and "query"?

Both of these fields are mentioned in the docs, but I don't see anything listed about how they differ. Any examples would be welcomed.

Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎10-01-2010 03:38 PM

Using "search"

It appears when you just use "search" then whatever first data is in the search field is used as the actual search term. Example:

index=blah [search  index=blah host=blahadmin | rename EventCode as search]

will result in a search like such:

litsearch index=blah 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Notice the "538" which is the first result returned in the EventCode field in the subsearch. You can also use "search" to modify the actual search string that gets passed to the outer search.

For Example:

index=blah [search  index=blah host=blahadmin| eval search="hello there " + EventCode]

Will result in:

litsearch index=blah hello there 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Using "query"

"Query" will behave similar to format, but instead of putting out (field1=foo) OR (field1=bar) will just put out the values (foo) OR (bar).

Example:

index=blah [search  index=blah host=blahadmin | rename EventCode as query | fields query]

will result in a search like this:

litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 19 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 2000 ) OR ( 2000 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Of course you can dedup EventCode to come up with

litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 10002 ) OR ( 19 ) OR ( 2000 ) OR ( 560 ) OR ( 576 ) OR ( 552 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Normal syntax

And finally the using the regular syntax with the implied format at the end of the subsearch:

index=blah [search  index=blah host=blahadmin| fields EventCode]

Results:

litsearch index=blah ( ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="10002" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Again a dedup should be used here.

Conclusion

There are definitely many use cases for each of these methods. "

  • Search" can come in real handy when you need to append some static data or do some evals on the data in your subsearch and then pass it to the outer search. You could build some complex logic here.

  • "Query" comes in handy when you are simply looking for the values in the fields returned from the subsearch, but not in these exact fields. And regular syntax comes in handy when you are looking for the returned values in the returned fields.-

  • On top of all this you can use the format command to apply all kinds of fun formatting to your subsearch results. :)-

Note: After running a search you can click the Actions menu and select "Inspect Search", scroll down to the remoteSearch field, and you can see what the actual query that ended up being built by your subsearch was.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-06-2016 09:40 AM

You can pipe your subsearch clause to the format command to see what will actually returned if you were to use the search to the left as a subsearch. When you use search you get (fieldName=value) combinations coming back but when you use query you get just (value).

0 Karma
Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎10-01-2010 03:38 PM

Using "search"

It appears when you just use "search" then whatever first data is in the search field is used as the actual search term. Example:

index=blah [search  index=blah host=blahadmin | rename EventCode as search]

will result in a search like such:

litsearch index=blah 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Notice the "538" which is the first result returned in the EventCode field in the subsearch. You can also use "search" to modify the actual search string that gets passed to the outer search.

For Example:

index=blah [search  index=blah host=blahadmin| eval search="hello there " + EventCode]

Will result in:

litsearch index=blah hello there 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Using "query"

"Query" will behave similar to format, but instead of putting out (field1=foo) OR (field1=bar) will just put out the values (foo) OR (bar).

Example:

index=blah [search  index=blah host=blahadmin | rename EventCode as query | fields query]

will result in a search like this:

litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 19 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 2000 ) OR ( 2000 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Of course you can dedup EventCode to come up with

litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 10002 ) OR ( 19 ) OR ( 2000 ) OR ( 560 ) OR ( 576 ) OR ( 552 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Normal syntax

And finally the using the regular syntax with the implied format at the end of the subsearch:

index=blah [search  index=blah host=blahadmin| fields EventCode]

Results:

litsearch index=blah ( ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="10002" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"

Again a dedup should be used here.

Conclusion

There are definitely many use cases for each of these methods. "

  • Search" can come in real handy when you need to append some static data or do some evals on the data in your subsearch and then pass it to the outer search. You could build some complex logic here.

  • "Query" comes in handy when you are simply looking for the values in the fields returned from the subsearch, but not in these exact fields. And regular syntax comes in handy when you are looking for the returned values in the returned fields.-

  • On top of all this you can use the format command to apply all kinds of fun formatting to your subsearch results. :)-

Note: After running a search you can click the Actions menu and select "Inspect Search", scroll down to the remoteSearch field, and you can see what the actual query that ended up being built by your subsearch was.

Reply
Solved! Jump to solution

mikaelbje
Motivator
‎08-18-2014 06:56 AM

The tip about the query field was very handy. Thanks!

0 Karma
Reply
Solved! Jump to solution

walterk82
Path Finder
‎12-18-2017 01:58 PM

Amen to query!

0 Karma
Reply
Solved! Jump to solution

martinaire
Explorer
‎06-12-2013 02:44 PM

Thanks! The Query field has helped a lot for subsearches!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...