Databases Reference
In-Depth Information
If either of these limits is reached, there is probably a better way to accomplish the
task at hand.
Another consideration is that the fields returned from the subsearch must be
searchable. There is a magical field called "search" that will be added to the
query as a raw search term, but you have to do a little more work. See "search
context" later in this chapter for an example.
Nested subsearches
Subsearches can also be nested, if needed. With mail server logs, it is sometimes
necessary to find all the events related to a particular message. Some fictitious log
entries are given, such as:
... in=123 msgid=123456 from=mary@companyx.com
... msgid=123456 out=987 subject=Important
... out=987 to=bob@vendor1.co.uk
We can see that the first event has the value of
from
, but there is no longer anything
in common with the event that contains the
to
field. Luckily, there is an interim
event that does contain
out
, and contains
msgid
, which we
do
have in the first event.
We can write a query like this to find our events:
[search sourcetype=mail out
[search sourcetype=mail from=mary@companyx.com | fields msgid]
| fields out]
sourcetype=mail to
Here are the parts of the search, numbered according to the order of execution:
1.
[search sourcetype=mail from=mary@companyx.com | fields
msgid]
2.
[search sourcetype=mail out
| fields out]
3.
sourcetype=mail to
Let's step through this example:
1.
The innermost nested search (1) is run:
sourcetype=mail from=mary@companyx.com | fields msgid
Search WWH ::
Custom Search