Splunk Subsearch

Splunk subsearch takes the results from an inner search and combines the results with the outer search. Subsearches are enclosed in square brackets and begin with the search command. Subsearches are evaluated first, before the outer search.
The fields or return command allows you to return only the specified fields back to the outer search.
Subsearches are limited by time and number of events. 60 seconds is the time limit and 10,000 is the event limit. If the sub-search continues to be executed after 60 seconds, it is finalized. The results are truncated when the limit of 10,000 is reached.

