Documentation > Splunk > Search Reference > join

Search Reference

 


Introduction
Search Reference Overview
Search Commands and Functions
Search Command Reference
Internal Search Commands
Search in the CLI

join

Contents

join

A join is used to combine the results of a search and subsearch if specified fields are common to each. You can also join a table to itself using the selfjoin command.

Synopsis

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

Syntax

join [join-options]* <field-list> [ subsearch ]

Required arguments

subsearch
Description: A search pipeline. Read more about how subsearches work in the Search manual.

Optional arguments

field-list
Syntax: <field>, ...
Description: Specify the exact fields to use for the join. If none are specified, uses all fields that are common to both result sets.
join-options
Syntax: type=(inner|outer|left) | usetime=<bool> | earlier=<bool> | overwrite=<bool> | max=<int>
Description: Options to the join command.

Join options

type
Syntax: type=inner | outer | left
Description: Indicates the type of join to perform. Basically, the difference between an inner and a left (or outer) join is how they treat events in the main pipeline that do not match any in the subpipeline. In both cases, events that match are joined. The results of an inner join will not include any events with no matches. A left (or outer) join does not require each event to have matching field values; and the joined result retains each event—even if there is no match with any rows of the subsearch. Defaults to inner.
usetime
Syntax: usetime=<bool>
Description: Indicates whether to limit matches to sub-results that are earlier or later than the main result to join with. Defaults to false.
earlier
Syntax: earlier=<bool>
Description: If usetime=true, specify whether to join with matches that are earlier (true) or later (false) than the main result. Defaults to true.
overwrite
Syntax: overwrite=<bool>
Description: Indicates if fields from the sub results should overwrite those from the main result if they have the same field name. Defaults to true.
max
Syntax: max=<int>
Description: Indicates the maximum number of sub-results each main result can join with. If max=0, means no limit. Defaults to 1.

Description

Traditional join command that joins results from the main results pipeline with the results from the search pipeline provided as the last argument. Optionally specifies the exact fields to join on. If no fields specified, will use all fields that are common to both result sets.

Examples

Example 1: Joins previous result set with results from 'search foo', on the id field.

... | join id [search foo]

See also

selfjoin, append, set, appendcols

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the join command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Join"

This documentation applies to the following versions of Splunk: 5.0 , 5.0.1 , 5.0.2 , 5.0.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!