join
Description
Combines the results of a subsearch with those of the main search.
Syntax
join [join-options...] [field-list] subsearch
Required Arguments
| Parameter | Syntax | Description |
|---|---|---|
subsearch | [ subsearch ] | The subsearch query must be enclosed in square brackets and start with a source designation (source, script, makeresults, etc.). |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
field-list | field1 (field2 field3 ...) | If no fields are specified, the system will automatically select the most suitable fields based on their names. | A list of fields to join on for enriching (supplementing) the results. |
join-options | type=(inner|outer|left) | max=<int> | Options specifying how the join is performed. |
Join Options
| Parameter | Syntax | Description |
|---|---|---|
type | type=(inner|outer|left) | type describes how the results are merged together. |
max | max=<int> | Defines the maximum number of records obtained from the join (matches found), to supplement each record of the main search. |
With inner, only those results for which a full match was found will be included in the output (e.g., the user field in the main search matched the user field in the join subsearch).
With left|outer, all results from the main search will be included, and those for which matches were found will be enriched with data from the join.
Examples
These examples demonstrate how join combines the main query with a subquery and how type and max affect the result.
Example 1
In this example, left preserves all records from the main query, while max=3 limits the number of matches from the subquery for each row.
source accessLogs qsize=10
| join type=left max=3 user message
[source radius_logs]
Example 2
In this example, inner keeps only those records that have a complete match by the specified fields in both sources.
source accessLogs
| join type=inner user message
[source radius_logs]
Example 3
This example combines inner matching with the max=5 limitation, which allows restricting the number of matches from the subquery.
source accessLogs
| join type=inner max=5 user message
[source radius_logs]