https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425032#M121871 <P>Try adding the <CODE>search</CODE> command to the <CODE>join</CODE>.</P> <PRE><CODE>... | join namespace [search source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))] </CODE></PRE> Thu, 23 Aug 2018 17:33:06 GMT richgalloway 2018-08-23T17:33:06Z https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425031#M121870 <P>I tried to add a simple <CODE>join</CODE> onto my search but Splunk throws a 400 error </P> <PRE><CODE>{"messages":[{"type":"FATAL","text":"Missing or malformed messages.conf stanza for SEARCHFACTORY:UNKNOWN_OP__namespace"}]} &lt;Search&gt; | eventstats earliest(count) as earliest_count,earliest(_time) as earliest_time,latest(_time) as latest_time, latest(count) as latest_count by namespace | where latest_count=earliest_count | eval l_time=strftime(latest_time,"%m/%d/%y %H:%M:%S") | eval e_time=strftime(earliest_time,"%m/%d/%y %H:%M:%S") | eval time_since_last = latest_time - earliest_time | fieldformat time_since_last = tostring(time_since_last, "duration") | join namespace [source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))] </CODE></PRE> Thu, 23 Aug 2018 15:28:39 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425031#M121870 tb5821 2018-08-23T15:28:39Z https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425032#M121871 <P>Try adding the <CODE>search</CODE> command to the <CODE>join</CODE>.</P> <PRE><CODE>... | join namespace [search source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))] </CODE></PRE> Thu, 23 Aug 2018 17:33:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425032#M121871 richgalloway 2018-08-23T17:33:06Z https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425033#M121872 <P>i hope this issue is not related to join command.. <BR /> In the middle of the SPL, we can not have this <CODE>[source=abc .... ]</CODE>, </P> <P>with a search command, it will become a complete SPL..</P> <P><CODE>join namespace [source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s <BR /> | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]</CODE></P> Fri, 24 Aug 2018 05:52:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425033#M121872 inventsekar 2018-08-24T05:52:07Z https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425034#M121873 <P>i hope this issue is not related to join command.. <BR /> In the middle of the SPL, we can not have this <CODE>[source=abc .... ]</CODE>, </P> <P>with a search command, it will become a complete SPL..</P> <P><CODE>join namespace [source="/var/log/lag/mongostats.txt" namespace=* earliest=-12h@s <BR /> | eval namespace=trim(replace(namespace,"vodcoe-vdm.",""))]</CODE></P> Fri, 24 Aug 2018 05:52:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425034#M121873 inventsekar 2018-08-24T05:52:20Z https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425035#M121874 <P>Searches/subsearches need to start with a command. "source" is not a command, but <CODE>search</CODE> is. There is an implicit <CODE>search</CODE> at the beginning of every query, but not in subsearches.</P> Fri, 24 Aug 2018 18:50:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-do-I-get-a-400-stanza-error-when-using-a-join-command-in/m-p/425035#M121874 richgalloway 2018-08-24T18:50:22Z