Join search results with themselves, based on a specified field or list of fields to join on.
selfjoin [<selfjoin-options>...] <field-list>
- Syntax: <field>...
- Description: Specify the field or list of fields to join on.
- Syntax: overwrite=<bool> | max=<int> | keepsingle=<bool>
- Description: Options for the
selfjoincommand that control the result set returned. You can specify one or more of these options.
- Syntax: keepsingle=<bool>
- Description: Controls whether or not results with a unique value for the join fields should be retained. When
keepsingle=truesearch results that have no other results to join with are kept in the output.
- Default: false
- Syntax: max=<int>
- Description: Indicates the maximum number of 'other' results to join with each main result. If
max=0, there is no limit. This argument sets the maximum for the 'other' results. The maximum number of main results is 100,000.
- Default: 1
- Sytnax: overwrite=<bool>
- Description: When
overwrite=true, causes fields from these 'other' results to overwrite fields of the results used as the basis for the join.
- Default: true
Join the results with itself on the 'id' field.
... | selfjoin id
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the selfjoin command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3