Spread our blog

                               SUBSEARCH

Definition:
1) A subsearch is a search that is used to reduce the set of events from your result set.
2) The result of the subsearch is used as an argument to the primary or outer search.
3)  Subsearches must be enclosed in square brackets and must start with a Generating command (eg: search, makeresults etc.).If you want to know more about generating commands, click here.

First, let me show you the data we are going to use to show you the usage of “subsearches”.
Here, we will use two indexes, 1) employee_info_main 2) employee_info_sub
And from these two indexes, we are going to take a common field i.e. “Employee_Name”, which contains the names of some employees.

Please, see the below query to see the data for index “employee_info_main” which we will use as “Primary Search”.

index=employee_info_main
| table Employee_Name
| dedup Employee_Name

Now, as you can see the field “Employee_Name” contains names of 5 employees.
Please, see the below query to see the data for index “employee_info_sub”, which we will use as the “subsearch”.

index=employee_info_sub
| table Employee_Name
| dedup Employee_Name

Now, as you can see the field “Employee_Name” contains names of 3 employees.
Now, if you want to search for the values of “Employee Name” field of the 2nd index i.e. “employee_info_sub” inside the 1st index i.e. “employee_info_main”, you can use subsearch to do that. So, let’s see,

Example: 1

index=employee_info_main
| table Employee_Name
| dedup Employee_Name
| search
    [| search index="employee_info_sub"
    | table Employee_Name
    | dedup Employee_Name]

Explanation:
Here, our primary search is,

index=employee_info_main
| table Employee_Name
| dedup Employee_Name

And here, our subsearch is,

[| search index=employee_info_sub
    | table Employee_Name
    | dedup Employee_Name]

As, you can see in the primary query, first we have retrieved the unique values for “Employee_Name” field in tabular format from index “employee_info_main” using “table” and “dedup” command.
Then, we have used the “search” command because the result from sub search we want to search from the result set of the primary query.
As, we wanted to search for the values of “Employee Name” of the 2nd index i.e. “employee_info_sub” inside the 1st index i.e. “employee_info_main” , in square brackets as a subsearch, we have mentioned the query from “employee_info_sub” index.
If you will compare the above image with the image: 1 and image: 2 , you can easily understand, we successfully searched for the values of “Employee_Name” field of “employee_info_sub” index in “employee_info_main” index.

You can also know about :  Usage of Splunk commands : REPLACE

Now, what if you want to discard the values for “Employee_Name” for “employee_info_sub” from the result set i.e. you want to see all the values for the “Employee_Name” field, except the values which are present in the “employee_info_sub” index. For that, we have our next example. Please, see below.

EXAMPLE: 2

index=employee_info_main
| table Employee_Name
| dedup Employee_Name
| search  NOT
    [| search index=employee_info_sub
    | table Employee_Name
    | dedup Employee_Name]

Explanation:
Here, our primary query is,

index=employee_info_main
| table Employee_Name
| dedup Employee_Name

And here, our subsearch is,

[| search index=employee_info_sub
    | table Employee_Name
    | dedup Employee_Name]

As, you can see in the query first we have retrieved the unique values for the “Employee_Name”  field in tabular format from index “employee_info_main” using “table” and “dedup” command.
Then, we have used the “search” command with “NOT” operator because the result from subsearch we want to discard from the result set of primary query.
Then in square brackets as a subsearch we have mentioned the query to get values for “Employee_Name” for “employee_info_sub” index.
If you will compare the above image with image: 1 and image: 2, you can see that as the result, we are getting all the values for the “Employee_Name” field, except the values which are present in the “employee_info_sub” index.

Happy Splunking !!!

What’s your Reaction?
+1
+1
+1
+1
+1
1
+1
+1

Spread our blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here