Splunk® Cloud Services

SPL2 Search Reference

branch command usage

Filtering in branches

You can use the first command in a branch to specify condition or filters for that branch, for example:

| from people | branch [where (age < 13 ) | stats count() BY firstname | into child_names], [where gender = "M" | stats count() BY firstname | into male_names], [where gender = "F" | stats count() BY firstname | into female_names], [stats count() BY firstname | into names]

This search loads all of the people into memory and then sends those events down 4 branches.

  • The first 3 branches use the where command to filter the events for people in particular groups (children, men and women) and then calculates the count using the stats command.
  • The last branch does not specify a filter before the stats command.

Multiple branch commands

You can't specify multiple, parallel branch commands in search or pipeline.

Valid usage

This example is valid because there is only one branch command:

| from people | branch [where (age < 13 ) | stats count() BY firstname | into child_names], [where gender = "M" | stats count() BY firstname | into male_names], [where gender = "F" | stats count() BY firstname | into female_names], [stats count() BY firstname | into names]

Invalid usage

This example is invalid because you can't specify multiple branch commands at the same level:

| from people | branch [where (age < 13 ) | stats count() BY firstname | into child_names] | branch [where gender = "M" | stats count() BY firstname | into male_names], [where gender = "F" | stats count() BY firstname | into female_names], [stats count() BY firstname | into names]

Nested branch commands

You can specify nested branch commands.

Search example

Here is a search example of nested branch commands:

| from cities | branch [ where population < 10000 | stats count() BY name | into villages], [ where population > 1000000 | stats count() by name | into cities], [ where population >= 10000 AND population <= 1000000 | branch [ where region="northeast" | stats count() by name | into ne_towns], [ where region="south" | stats count() by name | into s_towns], [ where region="midwest" | stats count() by name | into mw_towns], [ where region="west" | stats count() by name | into w_towns] ]

Pipeline example

Here is a pipeline example with nested branch commands: 

$pipeline = | from $source 
| flatten _raw
| rename name as NAME
| branch [
    | where country = "USA" 
    | where state = "New York" 
    | into $destination1
], [
    | where country = "Japan" 
    | where state = "Kanto" 
    | into $destination2
], [
    | where country = "Netherlands"  
    | branch [
        | where state = "North Holland" 
        | into $destination3
    ], [
        | where NAME  = "Rotterdam" 
        | where state = "South Holland" 
        | into $destination4
    ]
], [
    | where country = "UK" 
    | into $destination5
]

See also

branch command
branch command overview
branch command syntax details
branch command examples
Last modified on 09 October, 2024
branch command syntax details   branch command examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters