With NRQL, you can run a subquery, which is a query nested inside another query.
A subquery is a query that's nested inside another query: they allow you to use the result of one query in another query. Examples of things you can do with subqueries:
- Perform calculations on the child entities of a parent entity
- See error logs for hosts with high CPU load based on the infrastructure agent's CPU utilization
Here's an example query for getting a count of transactions with an above-average duration:
SELECT count(*) FROM Transaction WHERE duration > (SELECT average(duration) FROM Transaction)
A subquery's results must make sense in context. In the example above, the greater-than condition in the
WHERE clause requires a subquery that returns a single value. A subquery that returns a set of values (e.g. a
uniques() subquery) would fail.
A subquery may be nested inside another subquery. A maximum of three subqueries, nested or unnested, is allowed in a query.
The subquery's time range will be the same as the outer query's, unless explicitly specified with
UNTIL. In a dashboard, choosing a window from the time picker aligns the subquery's time range with the outer query's. If you've set Ignore Time Picker for that chart, then the subquery's time range and the outer query's time range will not be the same.
During query execution, each subquery is run independently, and its result is used as a constant value, or set of values, in the outer query. Due to this execution model, subqueries may not reference attributes and values from the outer query.
The query duration limit is honored for queries with subqueries. This means that all subqueries and the outer query must complete execution within the duration limit.
The maximum number of results a subquery can return is the same as the
LIMIT MAX value: 5,000. When that limit is exceeded, it may result in incomplete results and this error message: "Subquery may have reached the maximum result member limit, which may cause an incomplete result."
Subqueries vs. nested aggregation
Though they appear similar, subqueries shouldn't be confused with nested aggregations, which allow the aggregation of the result of a nested query. Nested aggregations are used in the
FROM clause, while subqueries are used in the
SELECT statement and
- Subqueries aren't supported in NRQL alert conditions. Because queries with subqueries require making multiple passes over data, subqueries are incompatible with streaming alerts.
COMPARE WITHclauses, which cause queries to return multiple sets of results, are not supported in subqueries.
- Subqueries can't appear in the
FACETclause, though they can appear in the
WHEREclauses used in
- Has limits on the number of results
Here are some example subqueries: