Here is offical document:https://docs.splunk.com/Documentation/SplunkCloud/7.0.2/Search/GetstartedwithSearch

| inputlookup all_w
| search slavename="MAC-BUILD-GIT*"
| join type=outer slavename
[ search index="acadci_mp_prod" category=taskEnded slavename=*
| stats count by slavename
]
| eval count=if(isnull(count), "0", count)
| sort -count

上面這個(gè)SPL類似于SQL的全連接, type=outer

inputlookup lookup_table_name: 相當(dāng)于 select * from lookup_table_name

| search slavename="MAC-BUILD-GIT*" 相當(dāng)于 where slavename ="MAC-BUILD-GIT*"

[ search index="acadci_mp_prod" category=taskEnded slavename=*
| stats count by slavename
]

是個(gè)子查詢

eval可以對現(xiàn)有的field計(jì)算 變形等 生成新的filed

sort 用來排序

Note： type= inner left outer 官方說left 與outer是一樣的 ， 但實(shí)際并不一樣. default是left.

LOOKUP使用的時(shí)候需要某個(gè)field名與要查詢的表相同.