join command to combine the results of a subsearch with the results of a main search. One or more of the fields must be common to each result set. You can also combine a search result set to itself using the
If you are familiar with SQL but new to SPL, see Splunk SPL for SQL users.
For flexibility and performance, consider using one of the following commands if you do not require join semantics. These commands provide event grouping and correlations using time and geographic location, transactions, subsearches, field lookups, and joins.
|| To append the results of a subsearch to the results of your current search. The events from both result sets are retained.
||Appends the fields of the subsearch results with the input search result fields. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on.|
|| Use when one of the result sets or source files remains static or rarely changes. For example, a file from an external system such as a CSV file.
The look up cannot be a subsearch.
|| In the most simple scenarios, you might need to search only for sources using the OR operator and then use a |
|| To group events by a field and perform a statistical function on the events. For example to determine the average duration of events by host name.
|| Use |
For information about when to use a join, see the flowchart in About event grouping and correlation in the Search Manual.
join [join-options...] [field-list] subsearch
- Syntax: "[" subsearch "]"
- Description: A secondary search where you specify the source of the events that you want to join to. The subsearch must be enclosed in square brackets. The results of the subsearch should not exceed available memory.
- Limitations on the subsearch for the
joincommand are specified in the
limits.conf.specfile. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.
- Syntax: <field>, <field>, ...
- Description: Specify the fields to use for the join. If no fields are specified, all of the fields that are common to both result sets are used.
- Field names must match, not just in name but also in case. You cannot join
product_ID. You must first change the case of the field in the subsearch to match the field in the main search.
- Syntax: type=(inner | outer | left) | usetime=<bool> | earlier=<bool> | overwrite=<bool> | max=<int>
- Description: Options to the join command. Use either
leftto specify a left outer join.
Descriptions for the join-options argument
- Syntax: type=inner | outer | left
- Description: Indicates the type of join to perform. The difference between an
outer) join is how the events are treated in the main search that do not match any of the events in the subsearch. In both inner and left joins, events that match are joined. The results of an
innerjoin do not include events from the main search that have no matches in the subsearch. The results of a
outer) join includes all of the events in the main search and only those values in the subsearch have matching field values.
- Syntax: usetime=<bool>
- Description: A Boolean value that Indicates whether to use time to limit the matches in the subsearch results. Used with the
earlieroption to limit the subsearch results to matches that are earlier or later than the main search results.
- Syntax: earlier=<bool>
- Description: If
earlier=true, the main search results are matched only against earlier results from the subsearch. If
earlier=false, the main search results are matched only against later results from the subsearch. Results that occur at the same time (second) are not eliminated by either value.
- Syntax: overwrite=<bool>
- Description: Indicates whether fields from the subresults overwrite the fields from the main results, if the fields have the same field name.
- Syntax: max=<int>
- Description: Specifies the maximum number of subsearch results that each main search result can join with. If set to
max=0, there is no limit.
join command when the results of the subsearch are relatively small, for example 50,000 rows or less. To minimize the impact of this command on performance and resource consumption, Splunk software imposes some default limitations on the subsearch. See the subsearch section in the syntax for more information about these limitations.
One-to-many and many-to-many relationships
To return matches for one-to-many, many-to-one, or many-to-many relationships, include the
max argument in your
join syntax and set the value to 0. By default
max=1, which means that the subsearch returns only the first result from the subsearch. Setting the value to a higher number or to 0, which is unlimited, returns multiple results from the subsearch.
Combine the results from a main search with the results from a subsearch
search vendors. The result sets are joined on the
product_id field, which is common to both sources.
... | join product_id [search vendors]
If the field names in the sources do not match, you can rename the field in the subsearch result set. The field in the main search is
product_id. The field in the subsearch is
Note: The field names must match in name and in case. You cannot join
... | join product_id [search vendors | rename pid AS product_id]
By default, only the first row of the subsearch that matches a row of the main search is returned. To return all of the matching subsearch rows, include the
max=<int> argument and set the value to 0. This argument joins each matching subsearch row with the corresponding main search row.
... | join product_id max=0 [search vendors]
The dashboards and alerts in the distributed management console shows you performance information about your Splunk deployment. The Resource Usage: Instance dashboard contains a table that shows the machine, number of cores, physical memory capacity, operating system, and CPU architecture.
To display the information in the table, use the following search. This search includes a join command. The search uses the information in the dmc_assets table to look up the instance name and machine name. The search then uses the
serverName field to join the information with information from the
/services/server/info REST endpoint. The
/services/server/info is the URI path to the Splunk REST API endpoint that provides hardware and operating system information for the machine. The
$splunk_server$ part of the search is a token variable.
| inputlookup dmc_assets | search serverName = $splunk_server$ | stats first(serverName) AS serverName, first(host) AS host, first(machine) AS machine | join type=left serverName [ | rest splunk_server=$splunk_server$ /services/server/info | fields serverName, numberOfCores, physicalMemoryMB, os_name, cpu_arch] | fields machine numberOfCores physicalMemoryMB os_name cpu_arch | rename machine AS Machine, numberOfCores AS "Number of Cores", physicalMemoryMB AS "Physical Memory Capacity (MB)", os_name AS "Operating System", cpu_arch AS "CPU Architecture"
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the join command.
This documentation applies to the following versions of Splunk Cloud™: 7.0.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3, 6.5.0