Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

join

A join is used to combine the results of a search and subsearch if specified fields are common to each. You can also join a table to itself using the selfjoin command.

Synopsis

SQL-like joining of results from the main results pipeline with the results from the subpipeline.

Syntax

join [join-options]* <field-list> [ subsearch ]

Required arguments

subsearch
Description: A search pipeline. Read more about how subsearches work in the User manual.

Optional arguments

field-list
Syntax: <field>, ...
Description: Specify the exact fields to use for the join. If none are specified, uses all fields that are common to both result sets.
join-options
Syntax: type=(inner|outer|left) | usetime=<bool> | earlier=<bool> | overwrite=<bool> | max=<int>
Description: Options to the join command.

Join options

type
Syntax: type=inner | outer | left
Description: Indicates the type of join to perform. Basically, the difference between an inner and a left (or outer) join is how they treat events in the main pipeline that do not match any in the subpipeline. In both cases, events that match are joined. The results of an inner join will not include any events with no matches. A left (or outer) join does not require each event to have matching field values; and the joined result retains each event—even if there is no match with any rows of the subsearch. Defaults to inner.
usetime
Syntax: usetime=<bool>
Description: Indicates whether to limit matches to sub-results that are earlier or later than the main result to join with. Defaults to false.
earlier
Syntax: earlier=<bool>
Description: If usetime=true, specify whether to join with matches that are earlier (true) or later (false) than the main result. Defaults to true.
overwrite
Syntax: overwrite=<bool>
Description: Indicates if fields from the sub results should overwrite those from the main result if they have the same field name. Defaults to true.
max
Syntax: max=<int>
Description: Indicates the maximum number of sub-results each main result can join with. If max=0, means no limit. Defaults to 1.

Description

Traditional join command that joins results from the main results pipeline with the results from the search pipeline provided as the last argument. Optionally specifies the exact fields to join on. If no fields specified, will use all fields that are common to both result sets.

Examples

Example 1: Joins previous result set with results from 'search foo', on the id field.

... | join id [search foo]

See also

selfjoin, append, set, appendcols

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the join command.

PREVIOUS
iplocation
  NEXT
kmeans

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters