Which statement is true about subsearches?
Which statement is true about subsearches?
Subsearches work best for small result sets. Subsearches can be resource-intensive and slow, especially if they return a large number of results. Therefore, they are more efficient and practical when dealing with smaller datasets.
D is correct.
A is definitely wrong - Subsearches are notoriously SLOW See https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Aboutsubsearches Subsearches are mainly used for two purposes: Parameterize one search, using the output of another search. The example, described above, of searching for the most active host in the last hour is a an example of this use of a subsearch. Run a separate search and add the output to the first search using the append command.
A seems to be right coz for subsearch maxtime = <integer> Maximum number of seconds to run a subsearch before finalizing Defaults to 60
I would also say that D is correct as well. A is definitely wrong, a sub search is not faster than a tstats search for an example.
Answer D is the correct one! "A" is WRONG!
D is the correct
D is correct
Page 38
D is correct.
D is correct
Ref: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches#Subsearch_performance_considerations:~:text=A%20subsearch%20can%20be%20a%20performance%20drain%20if%20the%20search%20returns%20a%20large%20number%20of%20results.