set
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
set
Synopsis
Performs set operations on subsearches.
Syntax
set (union|diff|intersect) subsearch subsearch
Arguments
- subsearch
- Syntax: <string>
- Description: Specifies a subsearch. For more information about subsearch syntax, see "How subsearches work" in the User manual.
Description
Performs two subsearches and then executes the specified set operation on the two sets of search results:
- The result of a union operation are events that result from either subsearch.
- The result of a diff operation are the events that result from either subsearch that are not common to both.
- The result of an intersect operation are the events that are common for both subsearches.
Important: The set command works on less than 10 thousand results.
Examples
Example 1: Return values of "URL" that contain the string "404" or "303" but not both.
| set diff [search 404 | fields url] [search 303 | fields url]Example 2: Return all urls that have 404 errors and 303 errors.
| set intersect [search 404 | fields url] [search 303 | fields url]See also
append, appendcols, join, diff
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.