A search pipeline that is enclosed in square brackets, the result of which is used as an argument in an outer or primary search. The result of a subsearch is often one distinct result, such as a top value.

You can use subsearches to match subsets of your data that you cannot describe directly in a search expression, but which can be generated from a search.

For example, to find the most active host in the last hour:

  1. Design a subsearch that identifies the "most active host in the last hour."
  2. Search to find events that belong to that host.

For more information

In the Search Manual: