https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340637#M5522 <P>Hi @varad_joshi,<BR /> if you find this useful then please accept the answer and do upvote.<BR /> Thanks.</P> Thu, 01 Feb 2018 17:35:19 GMT 493669 2018-02-01T17:35:19Z https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340634#M5519 <P>So I am looking to join results of 2 searches and as I can see on docs.splunk there are various ways to join <BR /> <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Join">https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Join</A></P> <P>I am looking for difference between join and search command specially. Can someone elaborate please?</P> Wed, 31 Jan 2018 07:44:50 GMT https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340634#M5519 varad_joshi 2018-01-31T07:44:50Z https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340635#M5520 <P>The Jogin command allows you depends on a field to bring two groups of search results together.</P> <P>Example: search one have a result with the field IP-address and in the second search the results have a field IP-address, too. <BR /> If in both results the value of IP-adress equals the join will bring both result events together.</P> <P>Result 1: IP-Adresse =192.168.1.1 and result 2 IP-address 192.168.1.1 will be joined.<BR /> Result 1: 182.168.1.2 and Result 2: 192.168.1.1 will Not joined.</P> <P>Hope this helps</P> Wed, 31 Jan 2018 08:05:44 GMT https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340635#M5520 amielke 2018-01-31T08:05:44Z https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340636#M5521 <P>There is no as such relation with <CODE>join</CODE> and <CODE>search</CODE> command but yes you can use <CODE>search</CODE> command in subsearch to retrieve events .<BR /> You do not need to specify the <CODE>search</CODE> command at the beginning of your search criteria.<BR /> When the search command is not the first command in the pipeline, the search command is used to filter the results of the previous command and is referred to as a subsearch.<BR /> Lets try an example:<BR /> Try run this anywhere search:</P> <PRE><CODE>index=_internal|fields host source|join host [search index=_internal|fields host sourcetype] </CODE></PRE> <P>Here you are joining two indexes i.e. _internal by the common/primary field <CODE>host</CODE> and returning the events with fields <CODE>host,source,sourcetype</CODE><BR /> but if you try to run this search without search command:</P> <PRE><CODE>index=_internal|fields host source|join host [index=_internal|fields host sourcetype] </CODE></PRE> <P>it will give an error as <CODE>Unknown search command 'index'</CODE> so the first command in a subsearch must be a generating command such as <CODE>search</CODE>, <CODE>eventcount</CODE>, or <CODE>tstats</CODE>etc. to retrieve events .<BR /> Hope this helps!</P> Wed, 31 Jan 2018 12:33:25 GMT https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340636#M5521 493669 2018-01-31T12:33:25Z https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340637#M5522 <P>Hi @varad_joshi,<BR /> if you find this useful then please accept the answer and do upvote.<BR /> Thanks.</P> Thu, 01 Feb 2018 17:35:19 GMT https://community.splunk.com/t5/Knowledge-Management/Whats-the-difference-between-join-command-search-command-while/m-p/340637#M5522 493669 2018-02-01T17:35:19Z