join
Description
Combines the results of a subsearch with those of the main search.
Syntax
join [join-options...] [field-list] subsearch
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
subsearch | [ subsearch ] | The subsearch query must be enclosed in square brackets and start with a source designation (source, script, makeresults, etc.). |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
field-list | field1 (field2 field3 ...) | If no fields are specified, the system will automatically select the most suitable fields based on their names. | A list of fields to join on for enriching (supplementing) the results. |
join-options | type=(inner|outer|left) | max=<int> | Options specifying how the join is performed. |
Join Options
| Parameter | Syntax | Description |
|---|---|---|
type | type=(inner|outer|left) | type describes how the results are merged together. |
max | max=<int> | Defines the maximum number of records obtained from the join (matches found), to supplement each record of the main search. |
Join Types
With inner, only those results for which a full match was found will be included in the output (e.g., the user field in the main search matched the user field in the join subsearch).
With left|outer, all results from the main search will be included, and those for which matches were found will be enriched with data from the join.
Query Examples
Example #1
source accessLogs qsize=10
| join type=left max=3 user message
[source radius_logs]
Example #2
source accessLogs
| join type=inner user message
[source radius_logs]
Example #3
source accessLogs
| join type=inner max=5 user message
[source radius_logs]