Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF

selfjoin

Description

Join search results with themselves, based on a specified field or list of fields to join on.

Syntax

selfjoin [<selfjoin-options>...] <field-list>

Required arguments

<field-list>
Syntax: <field>...
Description: Specify the field or list of fields to join on.

Optional arguments

<selfjoin-options>
Syntax: overwrite=<bool> | max=<int> | keepsingle=<bool>
Description: Options for the selfjoin command that control the result set returned. You can specify one or more of these options.

Selfjoin options

keepsingle
Syntax: keepsingle=<bool>
Description: Controls whether or not results with a unique value for the join fields should be retained. When keepsingle=true search results that have no other results to join with are kept in the output.
Default: false
max
Syntax: max=<int>
Description: Indicates the maximum number of 'other' results to join with each main result. If max=0, there is no limit. This argument sets the maximum for the 'other' results. The maximum number of main results is 100,000.
Default: 1
overwrite
Sytnax: overwrite=<bool>
Description: When overwrite=true, causes fields from these 'other' results to overwrite fields of the results used as the basis for the join.
Default: true

Examples

Example 1:

Join the results with itself on the 'id' field.

... | selfjoin id

See also

join

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the selfjoin command.

PREVIOUS
searchtxn
  NEXT
sendemail

This documentation applies to the following versions of Splunk Cloud: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3


Comments

Please note that setting max=0 applies only to the number of 'other' results
Overall number of results returned is still limited to 100,000 total, regardless of max=0

Pmalcakdoj
January 16, 2018

Hi there, this is a fully-under-documented command. Here is an example if you'd like to further enrich the command.

| makeresults count=2 | streamstats count as a | eval joiner = "x" |eval b = if(a%2==0,"something",null()), c = if(a%2==1,"somethingelse",null())| selfjoin joiner

Table 1

_time a b c joiner
2017-08-29 08:23:42 1 somethingelse x
2017-08-29 08:23:42 2 something x

Output

_time a b c joiner
2017-08-29 08:24:44 2 something somethingelse x


Note how the "a" field is only the latest value, which is different from transaction (where both values would be present).

Alacercogitatus
August 29, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters