Can anyone explain exactly the difference between the special sub-search fields "search" and "query"?
Both of these fields are mentioned in the docs, but I don't see anything listed about how they differ. Any examples would be welcomed.
It appears when you just use "search" then whatever first data is in the search field is used as the actual search term. Example:
index=blah [search index=blah host=blahadmin | rename EventCode as search]
will result in a search like such:
litsearch index=blah 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
Notice the "538" which is the first result returned in the EventCode field in the subsearch. You can also use "search" to modify the actual search string that gets passed to the outer search.
For Example:
index=blah [search index=blah host=blahadmin| eval search="hello there " + EventCode]
Will result in:
litsearch index=blah hello there 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
"Query" will behave similar to format, but instead of putting out (field1=foo) OR (field1=bar)
will just put out the values (foo) OR (bar)
.
Example:
index=blah [search index=blah host=blahadmin | rename EventCode as query | fields query]
will result in a search like this:
litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 19 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 2000 ) OR ( 2000 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
Of course you can dedup
EventCode to come up with
litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 10002 ) OR ( 19 ) OR ( 2000 ) OR ( 560 ) OR ( 576 ) OR ( 552 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
And finally the using the regular syntax with the implied format
at the end of the subsearch:
index=blah [search index=blah host=blahadmin| fields EventCode]
Results:
litsearch index=blah ( ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="10002" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
Again a dedup
should be used here.
There are definitely many use cases for each of these methods. "
Search" can come in real handy when you need to append some static data or do some evals on the data in your subsearch and then pass it to the outer search. You could build some complex logic here.
"Query" comes in handy when you are simply looking for the values in the fields returned from the subsearch, but not in these exact fields. And regular syntax comes in handy when you are looking for the returned values in the returned fields.-
On top of all this you can use the format command to apply all kinds of fun formatting to your subsearch results. :)-
Note: After running a search you can click the Actions menu and select "Inspect Search", scroll down to the remoteSearch field, and you can see what the actual query that ended up being built by your subsearch was.
You can pipe your subsearch clause to the format
command to see what will actually returned if you were to use the search to the left as a subsearch. When you use search
you get (fieldName=value)
combinations coming back but when you use query
you get just (value)
.
It appears when you just use "search" then whatever first data is in the search field is used as the actual search term. Example:
index=blah [search index=blah host=blahadmin | rename EventCode as search]
will result in a search like such:
litsearch index=blah 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
Notice the "538" which is the first result returned in the EventCode field in the subsearch. You can also use "search" to modify the actual search string that gets passed to the outer search.
For Example:
index=blah [search index=blah host=blahadmin| eval search="hello there " + EventCode]
Will result in:
litsearch index=blah hello there 538 | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
"Query" will behave similar to format, but instead of putting out (field1=foo) OR (field1=bar)
will just put out the values (foo) OR (bar)
.
Example:
index=blah [search index=blah host=blahadmin | rename EventCode as query | fields query]
will result in a search like this:
litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 19 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 538 ) OR ( 540 ) OR ( 2000 ) OR ( 2000 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
Of course you can dedup
EventCode to come up with
litsearch index=blah ( ( 538 ) OR ( 540 ) OR ( 10002 ) OR ( 19 ) OR ( 2000 ) OR ( 560 ) OR ( 576 ) OR ( 552 ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
And finally the using the regular syntax with the implied format
at the end of the subsearch:
index=blah [search index=blah host=blahadmin| fields EventCode]
Results:
litsearch index=blah ( ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="10002" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) OR ( EventCode="540" ) OR ( EventCode="538" ) ) | fields keepcolorder=t * "*" "host" "index" "source" "sourcetype" "splunk_server"
Again a dedup
should be used here.
There are definitely many use cases for each of these methods. "
Search" can come in real handy when you need to append some static data or do some evals on the data in your subsearch and then pass it to the outer search. You could build some complex logic here.
"Query" comes in handy when you are simply looking for the values in the fields returned from the subsearch, but not in these exact fields. And regular syntax comes in handy when you are looking for the returned values in the returned fields.-
On top of all this you can use the format command to apply all kinds of fun formatting to your subsearch results. :)-
Note: After running a search you can click the Actions menu and select "Inspect Search", scroll down to the remoteSearch field, and you can see what the actual query that ended up being built by your subsearch was.
The tip about the query field was very handy. Thanks!
Amen to query!
Thanks! The Query field has helped a lot for subsearches!