Join Us

The join operator allows you to merge multiple result sets together. Using the let statement, we can create and name a search and then reference that search later and via the name that we assign.

important

Clear the query box.

Enter the following query:

let outcomes = dataset="cribl_lookups" lookup_table="sbx_http_outcomes"; 

dataset="cribl_search_sample" dataSource="access_combined"
| limit 100000 
| where isnotnull(status) 
| join outcomes on status
| distinct url, status, outcome

Click SEARCH.

This is working similar to the lookup operator but what you are essentially doing here is joining the results of 2 separate searches based on a common field, status.

important

Clear the query box.

Enter the following query:

dataset="cribl_search_sample" dataSource="access_combined" host="web01.cribl.io"
| summarize by host, status

Click Details
Copy the Job ID (save somewhere for later)
Change host="web01.cribl.io" to host="web03.cribl.io"
Click Search.
Click Details.
Copy the Job ID (save somewhere for later).

Now that we've executed 2 searches, we'll retrieve those results and combine them into a single search.

important

Empty the search bar.
Run the following query. Be sure to replace the jobId placeholders with the 2 jobId's that you saved from the previous step.
```
dataset="$vt_results" (jobId="1709840281373.EnEEzY" or jobId="1709840214304.rUUrxv")
| project host, status, count_
```

And there you have it, the results from both searches combined into a single search.