Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the pros and cons of using search workflow action vs subsearch?

richkappler
Path Finder
‎07-27-2017 11:01 AM

These two items seem to do the same thing. Does anyone have a good relative/comparative pros and cons discussion link?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-27-2017 12:14 PM

i think they are very different
workflow actions as described and explained here: https://docs.splunk.com/Splexicon:Workflowaction
is A highly configurable knowledge object that enables a variety of interactions between fields in events and other web resources.

Workflow actions can:

Create HTML links that, for example, run searches in external search engines for field values.
Generate HTTP POST requests to specified URIs.
Launch secondary searches that use specific field values from a selected event.

a subsearch is a search within a search, many times used as a filter
more detailed definition here: https://docs.splunk.com/Splexicon:Subsearch

so to your question, i dont think there are relative/comparative pros and cons or discussion around that topic

what is the problem you are trying to solve?

hope it helps

View solution in original post

Reply
Solved! Jump to solution

richkappler
Path Finder
‎07-28-2017 05:35 AM

It's not that I'm trying to solve a particular problem. Had that been the case I would have identified the problem. I'm trying to understand the difference between 2 types of search. If you disregard GET and POST as I did in my subj line, and focus on "search workflow actions" as described in the docs vice the splexicon: http://docs.splunk.com/Documentation/Splunk/6.6.2/Knowledge/CreateworkflowactionsinSplunkWeb#Set_up_... where it says "• Search workflow actions, which launch secondary searches that use specific field values from an event, such as a search that looks for the occurrence of specific combinations of ipaddress and http_status' field values in your index over a specific time range.", it seems to be very similar, if not identical, to a subsearch. Hence the question as it was posed.

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-27-2017 12:14 PM

i think they are very different
workflow actions as described and explained here: https://docs.splunk.com/Splexicon:Workflowaction
is A highly configurable knowledge object that enables a variety of interactions between fields in events and other web resources.

Workflow actions can:

Create HTML links that, for example, run searches in external search engines for field values.
Generate HTTP POST requests to specified URIs.
Launch secondary searches that use specific field values from a selected event.

a subsearch is a search within a search, many times used as a filter
more detailed definition here: https://docs.splunk.com/Splexicon:Subsearch

so to your question, i dont think there are relative/comparative pros and cons or discussion around that topic

what is the problem you are trying to solve?

hope it helps

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top