Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

branch command overview

The SPL2 branch command processes one set of events or search results, in parallel, simultaneous searches. Each search branch must end with the into command.

Syntax

The required syntax is in bold.

branch
[<SPL-literal> | into <dataset>],
[<SPL-literal> | into <dataset>] ...

How the SPL2 branch command works

Using the SPL2 branch command, you can take one set of data and run multiple searches simultaneously against that data. The simultaneous searches are referred to as branches. The results of the searches are placed into separate lookup or splv1sink datasets, using the into command. The data that you search can be events or search results.

Consider the following search. This search reads the events in the main index dataset into memory one time. The events are then processed in two branches using subsearches to determine the most popular hosts and sources.

| from main | branch [stats count() BY host | where count > 50 select host | into p_hosts], [stats count() BY source | where count > 100 select source | into p_sources]


  • The first branch uses the stats command to count the events by host and returns only those hosts with a count above the threshold of 50. Using the into command, the results are appended to the p_hosts dataset.
  • The second branch is similar. The stats command is used to count the events by source and returns only those sources with a count above the threshold of 100. Using the into command, the results are appended to the p_sources dataset.

The branch command does not return any results to the search endpoint. You must send the search results to a lookup or splv1sink dataset using the into command. The into must be the last command in each branch.

The data that you search can be events or search results. The previous example used events from the main index. The following search uses the results returned from the beginning of a search and then processes that data in 3 branches.

| from my_dataset where earliest=-5m@m AND latest=@m | branch [stats avg(cpu_usage) BY host | where avg(cpu_usage) > 2000000 select host | into cpu_hosts], [stats count() BY host | where count > 50 select host | into p_hosts], [stats count() BY source | where count > 100 select source | into p_sources ]

In this example, the average and count aggregations must be calculated first, because the filtering, with the where command, use those aggregations. In other situations, you might want to filter before the aggregations. See the branch command examples.

See also

branch command
branch command syntax details
branch command usage
branch command examples
Other commands
into command overview
where command overview
Last modified on 17 January, 2024
PREVIOUS
bin command examples 		  NEXT
branch command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters