join command overview
The SPL2 join command combines the left-side dataset with the right-side dataset, by using one or more common fields. The left-side dataset is the set of results from a search that is piped into the join command. The left-side dataset is sometimes referred to as the source data. The right-side dataset can be either a saved dataset or a subsearch.
A maximum of 50000 rows in the right-side dataset can be joined with the left-side dataset. This maximum is set to limit the impact of the join command on performance and resource consumption.
The simplest join possible looks like this:
<left-dataset> | join left=L right=R where L.pid = R.pid <right-dataset>
This joins the source data from the search pipeline with the right-side dataset. Rows from each dataset are merged into a single row if the where predicate is satisfied.
Syntax
The required syntax is in bold.
- join
- (<join-options>...)
- left=<left-alias>
- right=<right-alias>
- where <left-alias>.<left-field>=<right-alias>.<right-field>
- [ AND <left-alias>.<left-field>=<right-alias>.<right-field> ]...
- <right-dataset>
You can specify the aliases and fields in where clause on either side of the equal sign.
For example you can specify:
where <left-alias>.<left-field>=<right-alias>.<right-field>
or
where <right-alias>.<right-field>=<left-alias>.<left-field>
See also
| into command examples | join command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!