topic Error when using append and join-- Search Factory: Unknown search command 'index'. in Splunk Search https://community.splunk.com/t5/Splunk-Search/Error-when-using-append-and-join-Search-Factory-Unknown-search/m-p/343373#M101675 <P>Hi ,</P> <P>Below are the two queries for which I am trying to join the output of the both queries but I am facing an issue as <STRONG>Search Factory: Unknown search command 'index'.</STRONG></P> <P>First query</P> <BLOCKQUOTE> <P>index=apache* sourcetype=access_log<BR /> host=xyz OR host=abc | timechart<BR /> span=10m count as requests_per_minute</P> </BLOCKQUOTE> <P>Second query</P> <BLOCKQUOTE> <P>index=apache* sourcetype=web_logs<BR /> host=cde OR host=wxy | table BClog</P> </BLOCKQUOTE> <P>When I tried the both append and join it is not working .</P> <BLOCKQUOTE> <P>index=apache* sourcetype=access_log<BR /> host=xyz OR host=abc | timechart<BR /> span=10m count as requests_per_minute<BR /> | join [ index=apache*<BR /> sourcetype=web_logs host=cde OR<BR /> host=wxy | table BClog ]</P> <P>index=apache* sourcetype=access_log<BR /> host=xyz OR host=abc | timechart<BR /> span=10m count as requests_per_minute<BR /> | append [ index=apache*<BR /> sourcetype=web_logs host=cde OR<BR /> host=wxy | table BClog ]</P> </BLOCKQUOTE> Tue, 29 Sep 2020 16:34:03 GMT kteng2024 2020-09-29T16:34:03Z Error when using append and join-- Search Factory: Unknown search command 'index'. https://community.splunk.com/t5/Splunk-Search/Error-when-using-append-and-join-Search-Factory-Unknown-search/m-p/343373#M101675 <P>Hi ,</P> <P>Below are the two queries for which I am trying to join the output of the both queries but I am facing an issue as <STRONG>Search Factory: Unknown search command 'index'.</STRONG></P> <P>First query</P> <BLOCKQUOTE> <P>index=apache* sourcetype=access_log<BR /> host=xyz OR host=abc | timechart<BR /> span=10m count as requests_per_minute</P> </BLOCKQUOTE> <P>Second query</P> <BLOCKQUOTE> <P>index=apache* sourcetype=web_logs<BR /> host=cde OR host=wxy | table BClog</P> </BLOCKQUOTE> <P>When I tried the both append and join it is not working .</P> <BLOCKQUOTE> <P>index=apache* sourcetype=access_log<BR /> host=xyz OR host=abc | timechart<BR /> span=10m count as requests_per_minute<BR /> | join [ index=apache*<BR /> sourcetype=web_logs host=cde OR<BR /> host=wxy | table BClog ]</P> <P>index=apache* sourcetype=access_log<BR /> host=xyz OR host=abc | timechart<BR /> span=10m count as requests_per_minute<BR /> | append [ index=apache*<BR /> sourcetype=web_logs host=cde OR<BR /> host=wxy | table BClog ]</P> </BLOCKQUOTE> Tue, 29 Sep 2020 16:34:03 GMT https://community.splunk.com/t5/Splunk-Search/Error-when-using-append-and-join-Search-Factory-Unknown-search/m-p/343373#M101675 kteng2024 2020-09-29T16:34:03Z Re: Error when using append and join-- Search Factory: Unknown search command 'index'. https://community.splunk.com/t5/Splunk-Search/Error-when-using-append-and-join-Search-Factory-Unknown-search/m-p/343374#M101676 <P>@kteng2024, add <CODE>search</CODE> in the subquery and try.</P> <PRE><CODE>index=apache* sourcetype=access_log host=xyz OR host=abc | timechart span=10m count as requests_per_minute | append [ search index=apache* sourcetype=web_logs host=cde OR host=wxy | table BClog ] </CODE></PRE> Fri, 03 Nov 2017 21:22:47 GMT https://community.splunk.com/t5/Splunk-Search/Error-when-using-append-and-join-Search-Factory-Unknown-search/m-p/343374#M101676 niketn 2017-11-03T21:22:47Z