The join command in Splunk is used to combine the results of the sub search with the main search. One or more common fields is required to combine.

Types of joins:
  • inner join
  • left or outer join

inner join:
In inner join only the events which are matched are included in result.

Let’s take an example to understand this better.

We have a lookup of cities and their pincodes.

We will match it with our indexed data using inner join.

We can see that only the results which were matched is included in result. The city Mumbai which was in lookup is not included as it doesn’t matched with indexed dataset.

left or outer join:

In left or outer join all the events of main search are included along with the matched results.

Let’s take an example to understand this better.

We can see that city Mumbai is in lookup but not in our index data, yet it’s getting included in our results.

This is the only difference between inner and left  join.

If you are still facing issue regarding join command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉