Back to Floor
The Master's Library • Room 3
The Join Command
The **join** command combines the results of a main search with the results of a subsearch using one or more common fields.
By default, join performs an inner join: it only keeps results that exist in BOTH datasets.
Use `type=outer` to keep all results from the main search, even if they don't match the subsearch.
Inner Join
index=web | join clientip [ search index=security action=blocked ]Knowledge Check
Prove your understanding to clear the room (Rewards XP)
Write an outer join on the "user" field, joining index=activity with a subsearch for index=ldap.
Splunk Search Bar
>