join command examples
The following are examples for using the SPL2
To learn more about the
join command, see How the join command works.
1. Join datasets on fields that have the same name
Combine the results from a search with the
vendors dataset. The data is joined on the
product_id field, which is common to both datasets.
... | join left=L right=R where L.product_id=R.product_id vendors
2. Return all matching rows in the right dataset
By default, only the first row of the right-hand side dataset that matches a row of the source data is returned. To return all of the matching right-side hand dataset rows, include the max=<int> argument and set the value to 0. This example joins each matching right-side hand dataset row with the corresponding source data row. This example uses
products, which is a saved dataset, for the right-side hand dataset. In this example the field names in the left-hand side dataset and the right-hand side dataset are different.
... | join max=0 left=L right=R where L.vendor_id=R.vid products
3. Return all matching rows in a subsearch
This example uses a subsearch for the right-side hand dataset.
... | join left=vendor right=products where vendor.vendor_id=products.vid [ <subsearch> ]
join command usage
lookup command overview
This documentation applies to the following versions of Splunk® Cloud Services: current