A subsearch is a search that includes a search pipeline as an argument. They are contained in square brackets within another "primary" or "outer" search. The result of a subsearch (often just one distinct result, such as a top value) is then used as an argument in its primary search.

You can use subsearches to match subsets of your data that you cannot describe directly in a search expression, but which can be generated from a search. For example, if you're interested in using one search to find all events from "the most active host in the last hour" you need to design a subsearch that first identifies that "most active host in the last hour" before it finds events belonging to that host.

For more information

In the Search Manual:


configuration file

event processing

character set encoding




timestamp, timezone offset

default field extraction

host, source, source type, punct


retention time