Joins two LogScale searches. When joining two searches, you need to define the keys/fields that are used to match up results. This is done using the field=name or field=[name,name,...] parameter. If you want to join on a single field name, you can use the syntax:

logscale Syntax
fieldName =~ join(...)

to specify the field.

If the subquery has a different field that you want to match against, then use the parameter key=[name1,name2,...] to designate the names of keys inside the subquery. The value of keys defaults to the value of field.

join() is a filter function which in the default mode=inner lets the events through that match on the join keys. If you specify mode=left then events that do not match the join key(s) will also be let through.

If you specify include=[field, field, ...] then those fields are extracted from the result of the subquery, and added to matching events. For events in the subquery that do not have one or more of the named include fields, the output will be the empty string.

Using the parameter max=N (which defaults to max=1) you can specify how many rows/events are picked up in the subquery. If a subquery has multiple events with the same join key, then up to max rows are emitted.

You can use the parameters start and end to specify an alternative time interval for the query. The parameter view can be used to direct the subquery to run in a different repository or view, and the live=true|false parameter can be used to control if the subquery runs as a live query. The defaults for all these parameters are inherited from the primary query containing the join(...) usage.

The join() function also has a concept of a maximum size of the resultset of the inner query specified with the limit=100000 parameter.

Warning

The join() function does two passes over the data and should not be used as part of a live query. The two passes consist of the primary query and the subquery; as two separate queries the sets of data on which they are executed may be different leading to inconsistent results.

When used in a live query, the query will be run in a repeated mode instead, in which the server chooses the repetition interval based on the resources used by the function.

This can impact the liveness of the query, in that long-running repeated queries can be throttled, and thus be less live than expected.

ParameterTypeRequiredDefault ValueDescription
endstringoptional[a] End of main query Specifies either the timestamp relative to the main query's end (for example, end=2h will be two hours before the end of the main query) or an absolute timestamp in milliseconds since UTC.
fieldarray of stringsrequired   Specifies which field in the event (log line) must match the given column value.
includearray of stringsoptional[a] none Specifies columns to include from the subquery.
keyarray of stringsoptional[a]   Specifies which fields of the subquery to join on. Defaults to the value of the field parameter.
limitnumberoptional[a] 100000 Specifies the maximum number of rows in the subquery.
  Minimum1 
  Maximum200000 
livebooleanoptional[a] Same as main query Control if the subquery runs as live or static query.
maxintegeroptional[a] 1 Maximum number of events found in subquery if several share join key.
modestringoptional[a] inner Specifies the mode (inner or left) of the join.
   Values
   innerPerform an inner join; return only results that match in both queries
   leftPerform a left join, all values from the parent query are included, matched to any corresponding events in subquery.
query[b]functionrequired   The subquery to execute producing the values to join with.
repostringoptional[a] Repo of main query Specify which view/repo in which to perform the subquery.
startstringoptional[a] Start of main query Specifies either the timestamp relative to the main query's end (for example, start=2h will be two hours before the end of the main query) or an absolute timestamp in milliseconds since UTC.
viewstringoptional[a] View of main query Specify which view/repo in which to perform the subquery.

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name query can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Hide negatable operation for this function

Show negatable operation for this function

Find some examples at join() Syntax section.

join()Examples

Click + next to an example below to get the full details.

Filter For Items Not Part of Data Set Using !join()

Find the set difference using the join() function with negation

Query
logscale
#repo=A session_id=*
| !join(query={#repo=B session_id=*}, field=session_id, key=session_id)
Introduction

In this example, the join() function is used with a negation to search and find all session IDs from data set A that are not found in data set B.

Example incoming data from repository A might look like this:

timestampsession_iduser_nameactionstatus
2025-04-01T07:00:00Z123456john.doeloginsuccess
2025-04-01T07:05:00Z123457jane.smithdownloadsuccess
2025-04-01T07:10:00Z123458mike.jonesuploadfailed
2025-04-01T07:15:00Z123459sara.wilsonloginsuccess
2025-04-01T07:20:00Z123460bob.brownlogoutsuccess

Example incoming data from repository B might look like this:

timestampsession_iduser_nameactionstatus
2025-04-01T07:00:00Z123456john.doeloginsuccess
2025-04-01T07:05:00Z123457jane.smithdownloadsuccess
2025-04-01T07:20:00Z123460bob.brownlogoutsuccess
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    #repo=A session_id=*

    Filters for all events from repository A, that have a session_id field.

  3. logscale
    | !join(query={#repo=B session_id=*}, field=session_id, key=session_id)

    Performs a negated join with repository B, and returns sessions that exist in repository A but not in repository B. The negation operator is used to make it an anti-join operation.

    LogScale recommends using the defineTable() function with !match() instead of negated join. See example Filter For Items Not Part of Data Set Using defineTable()

  4. Event Result set.

Summary and Results

The query is used to find the set difference between two repositories. This is, for example, useful for identifying sync issues or performing data consistency checks. Or just to make a cross-repository comparison.

For more information, see also Query Joins and Lookups

Sample output from the incoming example data:

timestampsession_iduser_nameactionstatus
2025-04-01T07:10:00Z123458mike.jonesuploadfailed
2025-04-01T07:15:00Z123459sara.wilsonloginsuccess

Preview Content in a Lookup File With readFile() and Filter With !join()

Preview content in a lookup file in the search portion of a repo and filter for specific data with the !join() function

Query
logscale
readFile("host_names.csv")
| !join(query={groupBy(host_name)}, field=host_name, key=host_name, include=[host_name, id])
Introduction

In this example, the readFile() function is used to look up a host_names.csv file, and then filter for host names that do not send any logs.

Example incoming data might look like this: 

|--------------------|
| host_name, host_id |
| DESKTOP-VSKPBK8, 1 |
| FINANCE, 2         |
| homer-xubuntu, 3   |
| logger, 4          |
| DESKTOP-1, 5       |
| DESKTOP-2, 6       |
| DESKTOP-3, 7       |
|--------------------|
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    readFile("host_names.csv")

    Displays the content of the .csv file.

  3. logscale
    | !join(query={groupBy(host_name)}, field=host_name, key=host_name, include=[host_name, id])

    Filters for host names that do not send any logs.

  4. Event Result set.

Summary and Results

The query is used to preview content in CSV Lookup Files, and then filter for host names that do not send any logs.

Sample output from the incoming example data:

host_idhost_name
5DESKTOP-1
6DESKTOP-2
7DESKTOP-3