Latest Updates


Join Command

The join command in splunk is used to combine the results of sub search with  main search.  One or more common fields is required  to combine.

Types of joins:
  • inner join
  • left or outer join
inner join:
In inner join only the events which are matched are included in result.

Let’s take an example to understand this better.

We have a lookup of cities and their pincodes.

We will match it with our indexed data using inner join.

We can see that only the results which were matched is included in result. The city Mumbai which was in lookup is not included as it doesn’t matched with indexed dataset.

left or outer join:

In left or outer join all the events of main search are included along with the matched results.

Let’s take an example to understand this better.

We can see that city Mumbai is in lookup but not in our index data, yet it’s getting included in our results.

This is the only difference between inner and left  join.

If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Don't Forget to Follow us on 👍 Social Networks, happy Splunking >😉
Join Command Reviewed by Avotrix.Author on Tuesday, January 01, 2019 Rating: 5

No comments:

All Rights Reserved by Avotrix © 2018 - 2019
Developed and created by Avotrix

Contact Form


Email *

Message *

Powered by Blogger.