O'Reilly logo

Splunk 7 Essentials - Third Edition by Betsy Page Sigman, Erickson Delgado, J-P Contreras

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Subsearch

A subsearch is a search within a search. If your main search requires data as a result of another search, use Splunk's subsearch capability to combine two searches into one. 

Say you want to find statistics about the server that generates the most HTTP status 500 errors. You can achieve your goal of finding the culprit server with two searches.

The first search, shown next, will return the server address with the most 500 errors. Note that you are setting the limit to 1 and giving the instructions (using the + sign) to include just the server_ip field:

SPL> index=main http_status_code=500 | top limit=1 server_ip 
     | fields + server_ip

The result of this code will be one of three IP addresses generated by from our Eventgen data.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required