Splunk Search

How do subsearch work in distributed search?

karabsze
Path Finder

Per my knowledge, the subsearch result would be acted as parameter to the main search. In the distributed search, would the subsearch result first be consolidated in the search head and then further distributed to the search peer? Thanks!

0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

Yes, it is exactly as you describe. The result is consolidated on the search head.

View solution in original post

David
Splunk Employee
Splunk Employee

Yes, it is exactly as you describe. The result is consolidated on the search head.

View solution in original post

thomrs
Communicator

Look at the job inspector it will give you some insight as to how the sub search works.

0 Karma

karabsze
Path Finder

Thanks all!
When distributed to the search peer, how do the results send out? via knowledge bundle?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!