Use subsearch to correlate events
A subsearch takes the results from one search and uses the results in another search. This enables sequential state-like data analysis. You can use subsearches to correlate data and evaluate events in the context of the whole event set, including data across different indexes or Splunk Enterprise servers in a distributed environment.
For example, say you have two or more indexes for different application logs. The event data from these logs share at least one common field. You can use the values of this field to search for events in one index based on a value that is not in another index:
sourcetype=some_sourcetype NOT [search sourcetype=another_sourcetype | fields field_val]
That search is equivalent to the SQL "NOT IN" functionality:
SELECT * from some_table
WHERE field_value
NOT IN (SELECT field_value FROM another_table)
Example
To identify the IP address of the top customer at Buttercup Games with the most purchases, you could run the following search:
sourcetype=access_* status=200 action=purchase
| top limit=1 clientip
Then, you could search the customer's purchase history by running the following search on the customer's IP address, which is 87.194.216.51:
sourcetype=access_* status=200 action=purchase clientip=87.194.216.51
| stats count, distinct_count(productId), values(productId) by clientip
But, what if the next time you run this search, someone else is the top customer? You would have to run the first search again to find out the new top customer's IP address and then rewrite the second search with that new IP address. Instead of going to all of that trouble, you could get the same results by using a subsearch to correlate the events with the IP address and pass the top customer's IP address to the main search every time you run the search:
sourcetype=access_* status=200 action=purchase
[ search sourcetype=access_* status=200 action=purchase
| top limit=1 clientip
| table clientip
]
| stats count, distinct_count(productId), values(productId) by clientip
The search results look something like this:
| clientip | count | dc(productId) | values(productId) |
|---|---|---|---|
| 87.194.216.51 | 134 | 14 | BS-AG-G09 CU-PG-G06 |
| About subsearches | Change the format of subsearch results |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!