Join Log Events with Reference Data

Combining events from different queries using the join() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2@{ shape: processes, label: "Join" } result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
event_type=auth
join({repo=user_details}, field=department, key=user_id, mode=inner)

Introduction

The join() function can be used to combine events from two different queries based on matching field values. This is useful for enriching events with additional context from another data source.

In this example, the join() function is used to combine authentication events with user details from a reference repository.

Example incoming data might look like this:

@timestampevent_typeuser_idactionstatus
2025-09-01T10:00:00ZauthU123loginsuccess
2025-09-01T10:00:05ZauthU456loginfailed
2025-09-01T10:00:10ZauthU789password_changesuccess
2025-09-01T10:00:15ZauthU123logoutsuccess
2025-09-01T10:00:20ZauthU456loginfailed
2025-09-01T10:00:25ZauthU789loginsuccess
2025-09-01T10:00:30ZauthU123loginsuccess
2025-09-01T10:00:35ZauthU999loginfailed
2025-09-01T10:00:40ZauthU456password_resetsuccess
2025-09-01T10:00:45ZauthU123logoutsuccess

And the reference data in the user_details repository looks like this:

@timestampuser_iddepartmentrolelocation
2025-09-01T00:00:00ZU123ITadminLondon
2025-09-01T00:00:00ZU456SalesuserParis
2025-09-01T00:00:00ZU789HRmanagerBerlin

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2@{ shape: processes, label: "Join" } result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    event_type=auth

    Filters the primary query to include only authentication events where event_type equals auth.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2@{ shape: processes, label: "Join" } result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    join({repo=user_details}, field=department, key=user_id, mode=inner)

    Performs an inner join with the user_details repository. The join:

    • Uses repo=user_details to specify the repository containing reference data.

    • Uses field=department to specify which field to include from the reference data.

    • Uses key=user_id to specify the field to join on.

    • Uses mode=inner to only include events where there is a match in both datasets.

  4. Event Result set.

Summary and Results

The query is used to enrich authentication events with user department information from a reference repository.

This query is useful, for example, to analyze authentication patterns by department or to investigate security incidents with additional user context.

Sample output from the incoming example data:

@timestampevent_typeuser_idactionstatusdepartment
2025-09-01T10:00:00ZauthU123loginsuccessIT
2025-09-01T10:00:05ZauthU456loginfailedSales
2025-09-01T10:00:10ZauthU789password_changesuccessHR
2025-09-01T10:00:15ZauthU123logoutsuccessIT
2025-09-01T10:00:20ZauthU456loginfailedSales
2025-09-01T10:00:25ZauthU789loginsuccessHR
2025-09-01T10:00:30ZauthU123loginsuccessIT
2025-09-01T10:00:40ZauthU456password_resetsuccessSales
2025-09-01T10:00:45ZauthU123logoutsuccessIT

Note that the event with user_id=U999 is not included in the output because it has no matching record in the reference data (inner join behavior).

For other join() examples, see also join() Syntax.