subsearch

noun

A search pipeline that is enclosed in square brackets and whose result is used as an argument in an outer or primary search. The result of a subsearch is often one distinct result, such as a top value.

You can use subsearches to match subsets of your data that you cannot describe directly in a search expression, but which can be generated from a search. For example, to find "the most active host in the last hour" you need to: First, design a subsearch that identifies the "most active host in the last hour". Then, you can search to find events belonging to that host.

Related terms

For more information

In the Search Manual:

configuration

configuration file

event processing

character set encoding

segmentation

segment

timestamping

timestamp, timezone offset

default field extraction

host, source, source type, punct


archiving

retention time