The Master's Library • Room 1

Subsearches

A **subsearch** is a search that is enclosed in square brackets `[]` and executed before the main (outer) search.

The results of the subsearch are evaluated, formatted as a search string, and passed back into the outer search.

Subsearch Syntax

sourcetype=access_combined
[ search status=500 | return 1 clientip ]

The inner search evaluates first, and passes its results to the outer search.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write a search for `index=web` that only includes `clientip`s found in `index=security action=blocked`. Hint: pass the subsearch into the main search using square brackets.

Splunk Search Bar