Run multiple searches at the same time.
multisearch command is a generating command that executes multiple streaming searches at the same time. It requires at least two subsearches and allows only streaming operations in each subsearch. Examples of streaming searches include searches with the following commands:
rex. For more information, see Types of commands in the Search Manual.
| multisearch <subsearch1> <subsearch2> <subsearch3> ...
- Syntax: "["search <logical-expression>"]"
- Description: At least two streaming searches. See the search command for detailed information about the valid arguments for the <logical-expression>.
- To learn more, see About subsearches in the Search Manual.
multisearch command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
Subsearch processing and limitations
multisearch command, the events from each subsearch are interleaved. Therefore the
multisearch command is not restricted by the subsearch limitations.
append command, the
multisearch command does not run the subsearch to completion first. The following subsearch example with the
append command is not the same as using the
index=a | eval type = "foo" | append [search index=b | eval mytype = "bar"]
Search for events from both index a and b. Use the
eval command to add different fields to each set of results.
| multisearch [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"]
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the multisearch command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 7.2.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.1.3