branch command usage
The SPL2 branch command is a terminating command, which is a command that does not return any search results and must be the last command in the search or pipeline. You can nest additional commands for data processing inside the branch command, but you cannot include any commands after the branch command itself.
Filtering in branches
You can use the first command in a branch to specify conditions or filters for that branch, for example:
| from people
| branch
[where (age < 13 ) | stats count() BY firstname | into child_names],
[where gender = "M" | stats count() BY firstname | into male_names],
[where gender = "F" | stats count() BY firstname | into female_names],
[stats count() BY firstname | into names]
This search loads all of the people into memory and then sends those events down 4 branches.
- The first 3 branches use the
wherecommand to filter the events for people in particular groups (children, men and women) and then calculates thecountusing thestatscommand. - The last branch does not specify a filter before the
statscommand.
Multiple branch commands
You can't specify multiple parallel branch commands in search or pipeline.
Valid usage
This example is valid because there is only one branch command:
| from people
| branch
[where (age < 13 ) | stats count() BY firstname | into child_names],
[where gender = "M" | stats count() BY firstname | into male_names],
[where gender = "F" | stats count() BY firstname | into female_names],
[stats count() BY firstname | into names]
Invalid usage
This example is invalid because you can't specify multiple branch commands at the same level:
| from people
| branch
[where (age < 13 ) | stats count() BY firstname | into child_names]
| branch
[where gender = "M" | stats count() BY firstname | into male_names],
[where gender = "F" | stats count() BY firstname | into female_names],
[stats count() BY firstname | into names]
Nested branch commands
You can specify nested branch commands.
Search example
Here is a search example of nested branch commands:
| from cities
| branch
[ where population < 10000 | stats count() BY name | into villages],
[ where population > 1000000 | stats count() by name | into cities],
[ where population >= 10000 AND population <= 1000000
| branch
[ where region="northeast" | stats count() by name | into ne_towns],
[ where region="south" | stats count() by name | into s_towns],
[ where region="midwest" | stats count() by name | into mw_towns],
[ where region="west" | stats count() by name | into w_towns]
]
Pipeline example
Here is a pipeline example with nested branch commands:
$pipeline = | from $source
| flatten _raw
| rename name as NAME
| branch [
| where country = "USA"
| where state = "New York"
| into $destination1
], [
| where country = "Japan"
| where state = "Kanto"
| into $destination2
], [
| where country = "Netherlands"
| branch [
| where state = "North Holland"
| into $destination3
], [
| where NAME = "Rotterdam"
| where state = "South Holland"
| into $destination4
]
], [
| where country = "UK"
| into $destination5
]
See also
| branch command syntax details | branch command examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!