Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

branch command examples

The following are examples for using the SPL2 branch command. To learn more about the branch command, see How the SPL2 branch command works.

1. Specifying multiple branches

You must specify at least 2 branches. This example uses 3 branches.

| search sourcetype=access_* | branch [ stats count() BY productId | into sales ], [ stats avg() BY productId | into metrics ], [ stats count() BY host | into hosts]

While this search is valid, it isn't very efficient because it doesn't filter the search on anything other than sourcetype.

The next example shows how to use a filter to speed up the processing of your branches.

2. Specifying filters

Make your search more efficient by specify a filter on the data.

Filtering on a branch

This search loads all the cities into memory and then processes those events in 3 separate branches. This example uses the where command to filter the data. Because the filter is different for each branch, the filter is added at the beginning of the branch.

| from cities | branch [ where population < 10000 | stats count() BY name | into villages], [ where population >= 10000 AND population <= 1000000 | stats count() by name | into towns], [ where population > 1000000 | stats count() by name | into cities]

This example filters the data before performing the stats command aggregations. For an example of filtering after the aggregations, see the section How the branch command works in branch command overview.

Filtering on the main search

Here is an example that returns results based on successful sales and purchase issues. Because one of the filters is the same for all of the branches, that filter action=purchase is added to the main search. Additionally, each branch includes a filter using the where command.

| search sourcetype=access_* action=purchase | branch [ where status=200 | stats count() BY product | into sales ], [ where status!=200 | stats count() BY product | into purchase_issues]

See also

branch command
branch command overview
branch command syntax details
branch command usage
Other commands
into command overview
where command overview
Last modified on 31 January, 2024
PREVIOUS
branch command usage
  NEXT
dedup command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters