A subsearch is a search within a search. If your main search requires data as a result of another search, use Splunk's subsearch capability to combine two searches into one.
Say you want to find statistics about the server that generates the most HTTP status 500 errors. You can achieve your goal of finding the culprit server with two searches.
The first search, shown next, will return the server address with the most 500 errors. Note that you are setting the limit to 1 and giving the instructions (using the + sign) to include just the server_ip field:
SPL> index=main http_status_code=500 | top limit=1 server_ip
| fields + server_ip
The result of this code will be one of three IP addresses generated by from our Eventgen data.
In the following second search, the IP address filter is applied with the server_ip value from the first search result and delivers the top values of the http_uri and client_ip fields. In the second search, you are simply asking for the top http_uri and client_ip fields for data that has been piped through to that point, or the data from the indicated server with the top number of 500 codes:
SPL> index=main server_ip=10.2.1.34 | top http_uri, client_ip
You can combine these two searches into one using a subsearch. Note the subsearch appears within brackets:
SPL> index=main [ search index=main http_status_code=500
| top limit=1 server_ip
| fields + server_ip ] | top http_uri, client_ip
For example, consider a case where you have two or more indexes for various application logs. You can set up a search of these logs that will let you know what shared field has a value that is not in another index. An example of how you can do this is shown here:
SPL> sourcetype=a_sourcetype NOT [search sourcetype=b_sourcetype
| fields field_val]
The default number of results is set to 100. This is because a subsearch with a large number of results will tend to slow down performance.