topic Re: How to use head command at the end if we have multiple joins in a search? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377167#M110663 <P>Hi @kmaron , yes i have used that, but it did not worked out</P> Wed, 07 Nov 2018 07:03:46 GMT Akumar294 2018-11-07T07:03:46Z How to use head command at the end if we have multiple joins in a search? https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377165#M110661 <P>Hello Guys,</P> <P>I have a search in which i am using different join commands(4 join commands) and finally at the end, i will be getting some thousands records. But what i want is - to get the most recent event by doing a head 1 or head 10 based on <STRONG>most recent timestamp</STRONG>.<BR /> Below search should just return 1 record based on latest time stamp as i have used head 1 at the end, but it seems head is not doing any job at all, i get the same number of events if i remove head 1. Does head doesn't work with join?<BR /> Please suggest</P> <PRE><CODE>index="pi_sales_monitoring_agent_nonprod" sourcetype=PS_dev-tes-mtr* |search "pms_01_zip_rename" |rex field=_raw "\.(?&lt;Job_Number&gt;\d\d\d\d\d\d\d)\." |transaction Job_Number mvraw=true |search "completed message sent" AND pmall |eval myRaw = _raw |mvexpand myRaw |rename myRaw as _raw |search "completed message sent" |stats count as c1 |join[search index="pi_sales_monitoring_agent_nonprod" sourcetype=PS_dev-tes-mtr* "pms_01_zip_rename" |rex field=_raw "\.(?&lt;Job_Number&gt;\d\d\d\d\d\d\d)\." |transaction Job_Number mvraw=true |search "completed abnormally message sent" AND pmall |eval myRaw = _raw |mvexpand myRaw |rename myRaw as _raw |search "completed abnormally message sent" |stats count as c2] |join[search index="pi_sales_monitoring_agent_nonprod" sourcetype=PS_dev-tes-mtr* "pms_01_zip_rename" |rex field=_raw "\.(?&lt;Job_Number&gt;\d\d\d\d\d\d\d)\." |transaction Job_Number mvraw=true |search ((NOT "Complete") AND (NOT "Completed abnormally")) AND pmall |eval myRaw = _raw |mvexpand myRaw |rename myRaw as _raw |search ((NOT "Complete") AND (NOT "Completed abnormally")) |stats count as c3] |join[search index="pi_sales_monitoring_agent_nonprod" sourcetype=PS_dev-tes-mtr* "pms_01_zip_rename" |rex field=_raw "\.(?&lt;Job_Number&gt;\d\d\d\d\d\d\d)\." |transaction Job_Number |search pmall |stats count as c4] |head 1 </CODE></PRE> Tue, 06 Nov 2018 09:55:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377165#M110661 Akumar294 2018-11-06T09:55:09Z Re: How to use head command at the end if we have multiple joins in a search? https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377166#M110662 <P>Have you tried using append instead of join?</P> Tue, 06 Nov 2018 14:14:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377166#M110662 kmaron 2018-11-06T14:14:31Z Re: How to use head command at the end if we have multiple joins in a search? https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377167#M110663 <P>Hi @kmaron , yes i have used that, but it did not worked out</P> Wed, 07 Nov 2018 07:03:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-head-command-at-the-end-if-we-have-multiple-joins-in/m-p/377167#M110663 Akumar294 2018-11-07T07:03:46Z