O'Reilly logo

Splunk 7 Essentials - Third Edition by Betsy Page Sigman, Erickson Delgado, J-P Contreras

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Using join

People with experience in Structured Query Language (SQL) will be familiar with the concept of a join. You can use the join command to join the results of the subsearch to your main search results. As part of the join command, you will want to identify a field to join on. Again, the basic syntax is simple:

SPL> . . | join field_name [subsearch]

This will default to an inner join, which includes only events shared in common by the two searches. You can also specify an outer or left join. The outer join contains all the data from both searches, whereas the left join contains the data from events fulfilling main search, as well as the events that are shared in common.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required