Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

set

Synopsis

Performs set operations on subsearches.

Syntax

set (union|diff|intersect) subsearch subsearch

Required arguments

subsearch
Syntax: <string>
Description: Specifies a subsearch. For more information about subsearch syntax, see "How subsearches work" in the User manual.

Description

Performs two subsearches and then executes the specified set operation on the two sets of search results:

  • The result of a union operation are events that result from either subsearch.
  • The result of a diff operation are the events that result from either subsearch that are not common to both.
  • The result of an intersect operation are the events that are common for both subsearches.

Important: The set command works on less than 10,000 results.

Examples

Example 1: Return values of "URL" that contain the string "404" or "303" but not both.

| set diff [search 404 | fields url] [search 303 | fields url]

Example 2: Return all urls that have 404 errors and 303 errors.

| set intersect [search 404 | fields url] [search 303 | fields url]

Note: When you use the fields command in your subsearches, it does not filter out internal fields by default. If you don't want the set command to compare internal fields, such as the _raw or _time fields, you need to explicitly exclude them from the subsearches:

| set intersect [search 404 | fields url | fields - _*] [search 303 | fields url | fields - _*]

See also

append, appendcols, join, diff

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the set command.

PREVIOUS
sendemail
  NEXT
setfields

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

Thanks, Supersleepwaker! I updated the note.

Sophy, Splunker
October 4, 2012

"Important: The set command works on less than 10 thousand results. "<br /><br />That's confusing at a quick glance. Recommend re-writing:<br /><br />"Important: The set command works on less than 10,000 results."

Supersleepwalker
October 3, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters