When is used in a search by itself with no join keys, the Splunk software autodetects common fields and combines the search results before the join command with the results of the subsearch. You can use either : or in a search, but not both. The results of the subsearch should not exceed available memory. The subsearch must be enclosed in square brackets. subsearch Syntax: Description: A secondary search or dataset that specifies the source of the events that you want to join to. You can use either : or with the join command, but not both. For example, if the dataset name is january and the dataset type is datamodel, you specify datamodel:january. The dataset name must follow the dataset type. The dataset must be a dataset that you created or are authorized to use. dataset-name Syntax: Description: The name of the dataset that you want to use to join with the source data. The dataset type must precede the dataset name. You can specify datamodel, savedsearch, or inputlookup. : | Required arguments dataset-type Syntax: datamodel | savedsearch | inputlookup Description: The type of dataset that you want to use to join with the source data.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |