Splunk Cloud Platform

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform

Splunk Cloud Platform Contents

Get Started

Administer

Search

SPL2 Search Reference

union command

union command: Examples

Manage Knowledge Objects

Leverage REST APIs

Release Notes

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Ingest Data from Cloud Services

Forward and Process Data

Process Data at the Edge

Process Data at Ingest Time

Collect Stream Data

Connect Relational Databases

Common Information Model

InfoSec App for Splunk

OT Intelligence

Using Splunk Mobile

REST API Reference

SPL Search Reference

Splunk Validated Architectures

Developing Views and Apps for Splunk Web

MCP Server for Splunk Platform

union command: Examples

The following are examples for using the SPL2 union command. To learn more about the union command, see How the SPL2 union command works.

1. Merging of events from multiple datasets

The following example merges events from the %customers; and %orders; index datasets, and the %vendors_lookup; dataset. You must separate the dataset names with a comma.

| union customers, orders, vendors_lookup

You can also embed the union command in the from command by using a subsearch in the FROM clause expression:

| FROM [union customers, orders, vendors_lookup] WHERE ...

2. Merging events from an incoming set of search results

The following example merges events from incoming search results with an existing dataset.

| from mysecurityview | fields _time, clientip | union customers

3. Appending the results of a subsearch to the results of the main search

The following example appends the current results of the main search with the tabular results of errors from the subsearch.

... | stats count() BY category1 | union [search error | stats count() BY category2]

See also

union command

union command: Overview, syntax, and usage

ON THIS PAGE

1. Merging of events from multiple datasets
2. Merging events from an incoming set of search results
3. Appending the results of a subsearch to the results of the main search
See also

Last updated: January 16, 2026

Explore Topics

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Observability Cloud

Splunk IT Service Intelligence

AppDynamics SaaS

AppDynamics On-Premises

AppDynamics SAP Agent

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

Release Notes and Updates

Supported Add-ons

Splunk Style Guide

©2005-2025 Splunk Inc. All rights reserved.