Join two humio searches.
See also the join guide with examples.
When joining two searches, you need to define the keys/fields that are used to match up results. This is done using the field=name or field=[name,name,…] parameter. If you want to join on a single field name, you can use the syntax fieldName =~ join(…) to specify the field.
If the subquery has a different field that you want to match against, then use the parameter key=[name1,name2,…] to designate the names of keys inside the subquery. The value of keys defaults to the value of field.
join(…) is a filter function which in the default mode=inner lets the events though that match on the join keys. If you specify mode=left then events that do not match the join key(s) will also be let through.
If you specify include=[field, field, …] then those fields are extracted from the result of the subquery, and added to matching events. For events in the subquery that do not have one or more of the named include fields, the output will be the empty string.
Using the parameter max=N (which defaults to max=1) you can specify how many rows/events are picked up in the subquery. If a subquery has multiple events with the same join key, then up to max rows are emitted.
You can use the parameters start and end to specify an alternative time interval for the query. The parameter view can be used to direct the subquery to run in a different reposotory or view, and the live=true|false parameter can be used to control if the subquery runs as a live query. The defaults for all these parameters are inherited from the main query containing the join(…) usage.
The join function also has a concept of a maximum size of the resultset of the inner query specified with the limit=100000.
|include||[string]||No||Specifies columns to include. Default to none.|
|key||[string]||No||specifies which fields of the subquery to join on. Defaults to the value of the ‘field’ parameter.|
|field||[string]||Yes||specifies which field in the event (log line) that must match the given column value|
|limit||number||No||100000||specifies the maximum number of rows in the subquery 1..100000|
|max||number||No||1||specifies which field in the event (log line) that must match the given column value|
|mode||string||No||inner||specifies the mode (inner or left) of the join. Defaults to inner.|
|start||string||No||Start of time interval of subquery (milliseconds since UTC or 2d, 24h, 10sec, etc). (defaults to that of the main query.)|
|end||string||No||End of time interval of subquery (milliseconds since UTC or 2d, 24h, 10sec, etc). (defaults to that of the main query.)|
|view||string||No||Specify which view/repo in which to perform the subquery. (defaults to that of the main query.)|
|repo||string||No||Specify which view/repo in which to perform the subquery. (defaults to that of the main query.)|
|live||bool||No||control if the subquery runs as live or static query (defaults to that of the main query.)|
|query||Function||No||The subquery to execute producing the values to join with|
query is the unnamed parameter.