--- title: "Join operator and Query Agent for smarter log analysis" page_name: "Join operator and Query Agent for smarter log analysis" type: "blog" slug: "using-the-join-operator" published_at: "2026-04-22" modified_at: "2026-04-22" url: "https://www.sumologic.com/blog/using-the-join-operator" canonical: "https://www.sumologic.com/blog/using-the-join-operator" markdown_url: "https://www.sumologic.com/blog/using-the-join-operator.md" lang: "en" excerpt: "Learn how Sumo Logic’s join operator combines multiple log streams into a single result set, and how Dojo AI’s Query Agent helps you build and optimize those queries faster." taxonomy_blog_category: - "AI" - "DevOps & IT Operations" - "SecOps & Security" --- [ All blogs ](https://www.sumologic.com/blog "blog")[AI](https://www.sumologic.com/blog/ai), [DevOps & IT Operations](https://www.sumologic.com/blog/devops-it-operations), [SecOps & Security](https://www.sumologic.com/blog/secops-security) # Join operator and Query Agent for smarter log analysis [Duane DeCapite](#blog-author-block-377) April 22, 2026 3 min read [AI](https://www.sumologic.com/blog/ai), [DevOps & IT Operations](https://www.sumologic.com/blog/devops-it-operations), [SecOps & Security](https://www.sumologic.com/blog/secops-security) ##### Table of contents [Sumo Logic’s log analytics](https://www.sumologic.com/guides/log-analytics) capabilities have always provided the greatest insights to help you secure, monitor and troubleshoot your environment. Now, with our [Query Agent](https://www.sumologic.com/solutions/dojo-ai#:~:text=respond%20with%20confidence.-,Query%20Agent,-%3A%20Transforming%20natural%20language), as part of [Dojo AI](https://www.sumologic.com/solutions/dojo-ai), creating optimized log searches with natural language is even easier. Query Agent works with a wide variety of operators, including the [join operator](https://www.sumologic.com/help/docs/search/search-query-language/search-operators/join/), for parsing, aggregation, data transformation, filtering, advanced analysis and lookup. The join operator brings the essence of a SQL JOIN to your stream of unstructured data, giving you even more flexibility. ## What is the join operator? In a standard relational join, the datasets in the tables to be joined are fixed at query time. However, matching IDs across log messages from different days within your search timeframe is likely to produce the wrong result, because actions performed yesterday shouldn’t be associated with a login event that occurred today. For this reason, our join operator provides a specified moving timeframe for joining log messages. In the diagram below, the pink and orange represent two streams of disparate log messages. They both contain a key/value pair we want to match on, and the messages are joined on that key/value when they both occur within the time window indicated by the black box. ### Join operator in practice Now let’s put this to use. Suppose an application has both real and machine-controlled users. You want to know which users are which so you can keep an eye out for any machine-controlled users that might be impacting performance. As it turns out, human users create requests at a reasonably low rate, while machine-controlled users (accessing via an API) can generate several requests per second, and always immediately after the login event. In these logs, several different messages are coming in with varying purposes and values. Using the join operator, you can query for both login and request events and then restrict the time window of the matching logic to combine the two message streams. The two sub-queries in my search will look for request/query events and login events, respectively. The match window is limited to just 15 seconds to identify requests that occur very close to the login event. Then, you can filter out users who made fewer than ten requests in that 15-second time frame following a login. The result is a clear view of users actively issuing a large volume of requests via the API immediately upon logging in. Here is my example query: ``` (login or (creating query)) | join (parse "Creating query: '*'" as query, "auth=User:*:" as user) as query, (parse "Login success for: '*'" as user) as login on query.user = login.user timewindow 15s | count by query_user | where _count > 10 | sort _count ``` As you can see from the above syntax, the subqueries use the same syntax as standard log searches and even support aggregates (count, sum, average, etc), so that you can join complex results together and achieve the insights you need. And Sumo Logic supports joining more than just two streams of logs, so you can combine all your favorite data into one query. ## What is the Dojo AI Query Agent? Writing a join query with the right syntax, time window, and matching logic can be tricky, especially when you’re working with multiple log streams. The Query Agent makes this process easier. Part of our team of [Dojo AI agents](https://www.sumologic.com/blog/agents-dojo-ai-soc-analyst-mcp), the Query Agent, accessed through [Mobot](https://www.sumologic.com/demo/mobot-walkthrough), translates your natural-language questions into Sumo Logic log search queries to help you create optimized queries with a prompt. The following example shows how a user can prompt the Query Agent via Mobot to create a join command, making it easy to join logs for a search. In the screenshot below, the user prompts the Query Agent to associate the changelog logs for a service with the application logs to check for a status code. In addition to displaying the results, the Query Agent indicates that a join was used and surfaces key observations, such as latency. It also provides the exact search command, which can be easily used or modified in the log search canvas. To make the query more understandable, the Query Agent includes a clear explanation of the search, outlining its key components and how they relate to one another. ## Final note The join operator allows you to combine records from two or more data streams into a single result set dynamically, functioning similarly to a SQL inner join. And the join operator, and other operators, are enhanced with Dojo AI agents. Learn how Dojo AI can help you monitor, troubleshoot and secure your environment. [See it in action](https://www.sumologic.com/demo/dojo-ai-walkthrough). ### FAQs What is the Query Agent?+The Query Agent helps users rapidly translate natural language requests submitted via Mobot into precise Sumo Logic queries, simplifying the exploration, analysis, and extraction of insights from complex datasets. By understanding context and user intent, it lowers the learning curve for new users while boosting efficiency for experienced analysts. Do Dojo AI agents access customer data?+Agent interaction with customer data varies by capability. Mobot (including Query Agent and Knowledge Agent) and Summary Agent do NOT process or analyze customer data. The SOC Analyst Agent (in preview as of February 2026 with certain chosen customers) processes customer data in order to help review insight data, correlate activity, and assist in triage and investigation as directed by the user. Any AI capability that processes customer data: - Is available only through explicit customer opt in (never automatically provisioned) - Requires execution of the applicable AI addendum to the client agreement Customers retain control over whether these data-processing capabilities are enabled in their environment. What is Sumo Logic Dojo AI?+Sumo Logic Dojo AI is a multi-agent AI platform built to power intelligent security operations and incident response. It is designed to act autonomously while continuously adapting to evolving threats. ### Article Tags - [AI](https://www.sumologic.com/blog/ai) - [DevOps & IT Operations](https://www.sumologic.com/blog/devops-it-operations) - [SecOps & Security](https://www.sumologic.com/blog/secops-security) Duane DeCapite Senior Director, Product Management Duane is the Senior Director of Product Management at Sumo Logic. Prior to Sumo Logic, Duane has held Cybersecurity, Observability and AI product roles at NetSPI, VMware, N-able, Cumulus Networks and Cisco. Duane authored Self-Defending Networks: The Next Generation of Network Security with Cisco Press and represented Cisco in the National Security Telecommunications Advisory Committee (NSTAC). Duane has also been a featured speaker at key industry events, including KubeCon, Cisco Live, Red Hat Summit, SUSECON, OpenStack Summit and SDN/NFV World Congress. Duane holds an MBA from the University of North Carolina at Chapel Hill, a BS in Computer Science from North Carolina State University and has completed coursework towards an MS in Engineering at Stanford University. [](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Join%20operator%20and%20Query%20Agent%20for%20smarter%20log%20analysis&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fusing-the-join-operator "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fusing-the-join-operator "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fusing-the-join-operator "Linkedin") [Previous blog 92% of security leaders say their SIEM is effective. 51% say it’s exceptional. What’s living in that gap?](https://www.sumologic.com/blog/from-effective-to-exceptional-siem)[Next blog Observability is security (We just pretended it wasn’t)](https://www.sumologic.com/blog/observability-is-security) People who read this also enjoyed [ Balance AI innovation and governance with Sumo Logic AI and ML apps June 10, 2026 ](https://www.sumologic.com/blog/sumo-logic-ai-ml-apps-governance)[ Meet the new Mobot: Your log analysis partner May 21, 2026 ](https://www.sumologic.com/blog/mobot-your-log-analysis-partner)[ Before you replace your SIEM: AI-driven security requires operational context, not just centralized data May 21, 2026 ](https://www.sumologic.com/blog/before-you-replace-your-siem)[ Closing the AI compliance and visibility gap: Integrate the Claude Compliance API with Sumo Logic May 21, 2026 ](https://www.sumologic.com/blog/sumo-logic-claude-compliance-api-integration) [AI Instructions](https://www.sumologic.com/ai-instructions.md)