selfjoin
selfjoin
Synopsis
Joins results with itself.
Syntax
selfjoin [<selfjoin-options>]* <field-list>
Required arguments
- <field-list>
- Sytnax: <field>...
- Description: Specify the field or list of fields to join on.
- <selfjoin-options>
- Syntax: overwrite=<bool> | max=<int> | keepsingle=<bool>
- Description: Options for the selfjoin command. You can use a combination of the three options.
Selfjoin options
- keepsingle
- Syntax: keepsingle=<bool>
- Description: Controls whether or not results with a unique value for the join fields (which means, they have no other results to join with) should be retained. Defaults to false.
- max
- Syntax: max=<int>
- Description: Indicate the maximum number of 'other' results to join with each main result. If 0, there is no limit. Defaults to 1.
- overwrite
- Sytnax: overwrite=<bool>
- Description: Specify if fields from these 'other' results should overwrite fields of the results used as the basis for the join. Defaults to true.
Description
Join results with itself, based on a specified field or list of fields to join on. The selfjoin options, overwrite, max, and keepsingle controls the out results of the selfjoin.
Examples
Example 1: Join results with itself on 'id' field.
... | selfjoin idSee also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the selfjoin command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.