Skip to main content
Version: 4.0

Subqueries

About subqueries

Subqueries are a mechanism that allows you to run subqueries within a single main search query. This allows users to create complex queries by combining the results of one query with other queries or additional conditions.

Advantage of using

  1. Query flexibility: Subqueries allow you to create more complex and flexible queries, including conditions and filters based on the results of other queries
  2. Efficient use of resources: Subqueries avoid performing the same operations over and over again on large amounts of data, which increases efficiency and optimizes the use of resources
  3. More accurate analytical results: Subqueries help you create queries in a way that produces more accurate and specific results
  4. Advanced Analysis: Using subqueries, you can perform deeper data analysis, including exploring relationships and dependencies between different aspects of the data

How subqueries work

Subqueries in Smart Monitor operate as follows: first, the subquery searches for specific information, which is then added to the main search as a criterion or argument. The primary reason for using subqueries is that the information you are looking for is dynamic and can change with each query execution.

For clarity, consider an example: suppose you need to return all events from the most active node over the past hour. This most active node can change every hour. Therefore, you first need to identify that node, and then search for events from it.

Break this search down into two parts:

  • the most active host in the last hour. This is the subsearch
  • the events from that host. This is the primary search

Time ranges and subsearches

Time ranges selected from the Time Range Picker apply to the base search and to subsearches.

However, time ranges specified directly in the base search do not apply to subsearches. Likewise, a time range specified directly in a subsearch applies only to that subsearch. The time range does not apply to the base search or any other subsearch.

For example, if the Time Range Picker is set to Last 7 days and a subsearch contains earliest=-2d, then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search.