branch command examples
The following are examples for using the SPL2 branch command. To learn more about the branch command, see How the SPL2 branch command works.
1. Specifying multiple branches
You must specify at least 2 branches. This example uses 3 branches.
| search sourcetype=access_*
| branch
[ stats count() BY productId | into sales ],
[ stats avg() BY productId | into metrics ],
[ stats count() BY host | into hosts]
While this search is valid, it isn't very efficient because it doesn't filter the search on anything other than sourcetype.
The next example shows how to use a filter to speed up the processing of your branches.
2. Specifying filters
Make your search more efficient by specify a filter on the data.
Filtering on a branch
This search loads all the cities into memory and then processes those events in 3 separate branches. This example uses the where command to filter the data. Because the filter is different for each branch, the filter is added at the beginning of the branch.
| from cities
| branch
[ where population < 10000 | stats count() BY name | into villages],
[ where population >= 10000 AND population <= 1000000 | stats count() by name | into towns],
[ where population > 1000000 | stats count() by name | into cities]
This example filters the data before performing the stats command aggregations. For an example of filtering after the aggregations, see the section How the branch command works in branch command overview.
Filtering on the main search
Here is an example that returns results based on successful sales and purchase issues. Because one of the filters is the same for all of the branches, that filter action=purchase is added to the main search. Additionally, each branch includes a filter using the where command.
| search sourcetype=access_* action=purchase
| branch
[ where status=200 | stats count() BY product | into sales ],
[ where status!=200 | stats count() BY product | into purchase_issues]
3. Pipeline examples
These examples show how to use the branch command in a pipeline.
Branch pipeline data before processing
The following example uses the branch command to make 2 complete copies of the incoming data and sends the data to different destinations.
- For the first copy, the data is sent to an existing index named
buttercupin a cisco_syslog destination. - For the second copy, the IP addresses are obscured by using the hashing function,
sha256, and then the data is sent to an Amazon S3 destination.
$pipeline = | from $source | branch [ | eval index="buttercup" | into $cisco_syslog_destination], [ | eval ip_address = sha256(ip_address) | into $aws_s3_destination]
Branch after processing pipeline data
The following pipeline hashes the values in the ip_address field using the SHA-256 algorithm, then uses the branch command to create pipeline paths that send the data to 3 different existing indexes in 3 different destinations:
$pipeline = | from $source | eval ip_address = sha256(ip_address)
| branch
[ | eval index="buttercup" | into $first_destination],
[ | eval index="splunk" | into $second_destination],
[ | eval index="cisco" | into $third_destination]
See also
- Other commands
- into command overview
- where command overview
- Pipelines
- Edge Processor pipeline syntax in the Use Edge Processors manual
- Ingest Processor pipeline syntax in the Use Ingest Processors manual
| branch command usage | dedup command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!