Usage of Splunk command: MULTISEARCH
Multiserach is a generating command (Generating commands use a leading pipe character and should be the first command in a search) that runs multiple searches at the same time without truncating the results of data sets. It requires more than one sub-search to execute this command. These sub-searches will only contain the following commands where, search, rex, fields, and eval.
Syntax:
|multisearch [<subsearch1>] [<subsearch2>] …..
Example:
|multisearch
[search index="_internal" sourcetype=splunkd_access
|eval type=internal]
[search index=_audit sourcetype=audittrail
|eval type="audit"]
Result:
Explanation:
As you can see here we have used two sub searches and combined them with the multisearch command. In the result, you can see that we are getting data from both two indexes.
This similarly works like append or appendcols command two combine two different data set together into one angel data set. But one advantage is that from the append command, the multisearch command doesn’t do truncating, so without truncating you can append multiple data set using this multisearch command.
Multisearch vs append:
While in your simple example it might not have a benefit, multisearch lets you use any streaming command in each search. I think its value would come out in a case where you need to apply calculations (eval) or inline extractions (rex) to one set of events, but not to other sets of events, and it might make your search easier to understand (instead of getting multiple levels of if statements deep in your evals).
Additionally, multisearch searches are run (more-or-less) simultaneously, not sequentially as they are with append. If the search slots are available, multisearch should finish dramatically faster.
With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.
Unlike the append command, the multisearch command does not run the subsearch to completion first. The following subsearch example with the append command is not the same as using the multisearch command.
I hope you all have enjoyed this blog “Usage of Splunk command: MULTISEARCH”. See you all on to the next one.
Happy Splunking!!
