Skip to main content

Subqueries

About subqueries

Subqueries are a mechanism that allows you to run subqueries within a single main search query. This allows users to create complex queries by combining the results of one query with other queries or additional conditions.

Advantage of using

  1. Query flexibility: Subqueries allow you to create more complex and flexible queries, including conditions and filters based on the results of other queries.
  2. Efficient use of resources: Subqueries avoid performing the same operations over and over again on large amounts of data, which increases efficiency and optimizes the use of resources.
  3. More accurate analytical results: Subqueries help you create queries in a way that produces more accurate and specific results.
  4. Advanced Analysis: Using subqueries, you can perform deeper data analysis, including exploring relationships and dependencies between different aspects of the data.

How subqueries work

A subsearch looks for a single piece of information that is then added as a criteria, or argument, to the primary search. You use a subsearch because the single piece of information that you are looking for is dynamic. The single piece of information might change every time you run the subsearch. For example, you want to return all of the events from the host that was the most active in the last hour. The host that was the most active might be different from hour to hour. You need to identify the most active host before you can return the events from that host.

Break this search down into two parts:

  • The most active host in the last hour. This is the subsearch.
  • The events from that host. This is the primary search.

Time ranges and subsearches

Time ranges selected from the Time Range Picker apply to the base search and to subsearches.

However, time ranges specified directly in the base search do not apply to subsearches. Likewise, a time range specified directly in a subsearch applies only to that subsearch. The time range does not apply to the base search or any other subsearch.

For example, if the Time Range Picker is set to Last 7 days and a subsearch contains earliest=-2d, then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search.