A subsearch is a Splunk search that uses a search pipeline as the argument. Subsearches in Splunk are contained in square brackets and evaluated first. Think of a subsearch as being similar to a SQL subquery (a subquery is a SQL query nested inside a larger query).
Subsearches are mainly used for three purposes:
- To parameterize one search using the output of another search
- To run a separate search but to stitch the output to the first search using the
- To create a conditional search where you only see the results of your search if the result meets the criteria or perhaps the threshold of the subsearch
Generally, you use a subsearch to take the results of one search and use them in another search, all in a single Splunk search ...