Download topic as PDF
multisearch
Description
Run multiple searches at the same time.
The multisearch command is a generating command that executes multiple streaming searches at the same time. It requires at least two subsearches and allows only streaming operations in each subsearch. Examples of streaming searches include searches with the following commands: search, eval, where, fields, and rex. For more information, see Types of commands in the Search Manual.
Syntax
| multisearch <subsearch1> <subsearch2> <subsearch3> ...
Required arguments
- <subsearch>
- Syntax: "["search <logical-expression>"]"
- Description: At least two streaming searches. See the search command for detailed information about the valid arguments for the <logical-expression>.
- To learn more, see About subsearches in the Search Manual.
Usage
The multisearch command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Subsearch processing and limitations
With the multisearch command, the events from each subsearch are interleaved. Therefore the multisearch command is not restricted by the subsearch limitations.
Unlike the append command, the multisearch command does not run the subsearch to completion first. The following subsearch example with the append command is not the same as using the multisearch command.
index=a | eval type = "foo" | append [search index=b | eval mytype = "bar"]
Examples
Example 1:
Search for events from both index a and b. Use the eval command to add different fields to each set of results.
| multisearch [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"]
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the multisearch command.
|
PREVIOUS multikv |
NEXT mvcombine |
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1
Comments
This page links to "types of searches" (http://docs.splunk.com/Documentation/Splunk/6.6.0/Search/Aboutsearch) but this page does not include any information on streaming searches vs non-streaming searches. you should link to http://docs.splunk.com/Documentation/SplunkCloud/latest/Search/Typesofcommands instead.
Woodcock
No, these are not the same. In multisearch you will get events interleaved. Unlike append, it doesn't run the subsearch to completion first. So it is not subject to the subsearch limitations.
I assume that your example is exactly the same as this:
index=a | eval type = "foo" | append [search index=b | eval mytype = "bar"]
If so (or if not), this would be good to note.
ALSO, I assume this is subject to all the subsearch-limits, right? This, too, should be mentioned.
Drewg33
Thanks for pointing that out. I've updated the link to point to "Types of commands" where streaming commands are discussed.