join command examples
The following are examples for using the SPL2 join command.
1. Join datasets on fields that have the same name
Combine the results from a search with the vendors dataset. The data is joined on the product_id field, which is common to both datasets.
... | join left=L right=R where L.product_id=R.product_id vendors
2. Join datasets on fields that have different names
Combine the results from a search with the vendors dataset. The data is joined on a product ID field, which have different names. The field in the left-side dataset is product_id. The field in the right-side dataset is pid.
... | join left=L right=R where L.product_id=R.pid vendors
3. Use words instead of letters as aliases
You can use words for the aliases to help identify the datasets involved in the join. This example uses products and vendors for the aliases.
... | join left=products right=vendors where products.product_id=vendors.pid vendors
4. Return all matching rows in the right-side dataset
By default, only the first row of the right-side dataset that matches a row of the source data is returned. To return all of the matching right-side dataset rows, include the max=<int> argument and set the value to 0. This example joins each matching right-side dataset row with the corresponding source data row. This example uses products, which is a saved dataset, for the right-side dataset. In this example the field names in the left-side dataset and the right-side dataset are different.
... | join max=0 left=L right=R where L.vendor_id=R.vid products
5. Return all matching rows in a subsearch
This example uses a subsearch for the right-side dataset.
... | join left=vendor right=products where vendor.vendor_id=products.vid [ <subsearch> ]
See also
| join command usage | lookup command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!