Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

join command examples

The following are examples for using the SPL2 join command. To learn more about the join command, see How the join command works.

1. Join datasets on fields that have the same name

Combine the results from a search with the vendors dataset. The data is joined on the product_id field, which is common to both datasets.

... | join left=L right=R where L.product_id=R.product_id vendors

2. Return all matching rows in the right dataset

By default, only the first row of the right-hand side dataset that matches a row of the source data is returned. To return all of the matching right-side hand dataset rows, include the max=<int> argument and set the value to 0. This example joins each matching right-side hand dataset row with the corresponding source data row. This example uses products, which is a saved dataset, for the right-side hand dataset. In this example the field names in the left-hand side dataset and the right-hand side dataset are different.

... | join max=0 left=L right=R where L.vendor_id=R.vid products

3. Return all matching rows in a subsearch

This example uses a subsearch for the right-side hand dataset.

... | join left=vendor right=products where vendor.vendor_id=products.vid [ <subsearch> ]

See also

join command
join command overview
join command syntax details
join command usage
Last modified on 29 April, 2020
join command usage
lookup command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters