Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



Join search results with themselves, based on a specified field or list of fields to join on.


selfjoin [<selfjoin-options>...] <field-list>

Required arguments

Syntax: <field>...
Description: Specify the field or list of fields to join on.

Optional arguments

Syntax: overwrite=<bool> | max=<int> | keepsingle=<bool>
Description: Options for the selfjoin command that control the result set returned. You can specify one or more of these options.

Selfjoin options

Syntax: keepsingle=<bool>
Description: Controls whether or not results with a unique value for the join fields should be retained. When keepsingle=true search results that have no other results to join with are kept in the output.
Default: false
Syntax: max=<int>
Description: Indicates the maximum number of 'other' results to join with each main result. If max=0, there is no limit. This argument sets the maximum for the 'other' results. The maximum number of main results is 100,000.
Default: 1
Sytnax: overwrite=<bool>
Description: When overwrite=true, causes fields from these 'other' results to overwrite fields of the results used as the basis for the join.
Default: true


Example 1:

Join the results with itself on the 'id' field.

... | selfjoin id

See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the selfjoin command.


This documentation applies to the following versions of Splunk Cloud: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3


Please note that setting max=0 applies only to the number of 'other' results
Overall number of results returned is still limited to 100,000 total, regardless of max=0

January 16, 2018

Hi there, this is a fully-under-documented command. Here is an example if you'd like to further enrich the command.

| makeresults count=2 | streamstats count as a | eval joiner = "x" |eval b = if(a%2==0,"something",null()), c = if(a%2==1,"somethingelse",null())| selfjoin joiner

Table 1

_time a b c joiner
2017-08-29 08:23:42 1 somethingelse x
2017-08-29 08:23:42 2 something x


_time a b c joiner
2017-08-29 08:24:44 2 something somethingelse x

Note how the "a" field is only the latest value, which is different from transaction (where both values would be present).

August 29, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters