Splunk® Cloud Services

SPL2 Search Reference

union command examples

The following are examples for using the SPL2 union command. To learn more about the union command, see How the SPL2 union command works.

1. Union events from multiple datasets

The following example merges events from the customers and orders index datasets, and the vendors_lookup dataset. You must separate the dataset names with a comma.

| union customers, orders, vendors_lookup


You can also embed the union command in the from command by using a subsearch in the FROM clause expression:

| FROM [union customers, orders, vendors_lookup] WHERE ...

2. Union events from an incoming set of search results

The following example merges events from incoming search results with an existing dataset.

| from mysecurityview | fields _time, clientip | union customers

3. Union the results of a subsearch to the results of the main search

The following example appends the current results of the main search with the tabular results of errors from the subsearch.

... | stats count() BY category1 | union [search error | stats count() BY category2]

See also

union command
union command overview
union command syntax details
union command usage
Last modified on 31 January, 2024
union command usage   where command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters