Subsearching
A subsearch is a Splunk search that uses a search pipeline as the argument. Subsearches in Splunk are contained in square brackets and evaluated first. Think of a subsearch as being similar to a SQL subquery (a subquery is a SQL query nested inside a larger query).
Subsearches are mainly used for three purposes:
- To parameterize one search using the output of another search
- To run a separate search but to stitch the output to the first search using the
appendcommand - To create a conditional search where you only see the results of your search if the result meets the criteria or perhaps the threshold of the subsearch
Generally, you use a subsearch to take the results of one search and use them in another search, all in a single Splunk search pipeline. Because of how this works, the second search must be able to accept arguments, such as with the append command (as mentioned earlier).
Some examples of subsearching are as follows:
- Parameterization: Consider the following code:
sourcetype...
