Usage of Splunk commands : UNION

Usage Of Splunk Commands : UNION

● This command merges two or more sets of results into one dataset.
● The union command appends events from different dataset.

Find below the skeleton of the usage of the command “union” in SPLUNK :

...|union [<subsearch-options>] <dataset> [<dataset>...]

Dataset – Sets of results you want to union are known as dataset.
There are two type datasets, It is a required argument.
1. Named dataset – It can be data models, lookups ,saved searches etc
Syntax: <dataset type>:”<dataset name>”
Example– lookup: “new.csv”
2. Unnamed dataset – A subsearch is an unnamed dataset.
Subsearch-options – maxtime=<int> maxout=<int> timeout=<int>  are optional arguments.
1. maxtime is the maximum seconds to run the sub search. (default 60 seconds)
2. maxout is the maximum number of results returned from sub search. (default 50000 results)
3. timeout is the maximum amount of time, in seconds, to cache the sub search results. (default 300 seconds)

Example 1:

| union 
[ search index=_internal], 
[ search index=_audit] 
| stats count by index

Result:


Explanation:
Here as you can see that we merged results from two different indexes ( _internal and _audit). This way you can specify the number of dataset within “[ ]” and delimited by comma “,”. At last using stats command we have shown the number of events from the both indexes.

You can also know about :  Eval vs Fieldformat

Example 2:

index=_internal 
| chart count by method 
| union 
[ search index=_audit 
| chart count by info]

Result:


Explanation:
Here we as one can see that we merged results from two different indexes ( _internal and _audit ), but we did in a different manner. We merged our dataset (i.e. [ search index=_audit | chart count by info]) with the existing main-search (i.e. index=_internal | chart count by method ) using union command, Where results are merged row wise. Orange marked box is the result of _internal index and green marked is the result of _audit index.
This basically does the same as the append command if we replace union with append then also it will generate the same result. To know more about the append command click here.

Example 3:

| append lookup:"countries_gdp.csv" 
[ search index=_internal]

Result:


Explanation:
Here we have used named dataset i.e. lookup and we appended data of _internal index with lookup file “countries_gdp.csv“. In the above picture the red boxed area is the result of “countries_gdp.csv” and in the green box it is showing the rawdata set of _internal index.

Now you can effectively utilize the “union” command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : UNION

Happy Splunking !!

You can also know about :  Difference between STREAMSTATS and EVENTSTATS command in Splunk

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.