topic Re: Error in 'join' command: Usage: join ()? [subsearch] in Splunk Search https://community.splunk.com/t5/Splunk-Search/Error-in-join-command-Usage-join-subsearch/m-p/111668#M29260 <P>Make sure the ENTIRE search is on a single line within the macros.conf file. Line breaks will kill this quite quickly.</P> Wed, 23 Oct 2013 15:40:46 GMT alacercogitatus 2013-10-23T15:40:46Z Error in 'join' command: Usage: join ()? [subsearch] https://community.splunk.com/t5/Splunk-Search/Error-in-join-command-Usage-join-subsearch/m-p/111667#M29259 <P>I get the error "<CODE>Error in 'join' command: Usage: join &lt;options&gt; (&lt;join-fields&gt;)? [subsearch]</CODE>" when running the following search within a macro but it runs fine and produces desired results if i run it in a regular search without encasulating it inside a macro so it means that the main and subsearches inside the join command are working fine. Any help will be appreciated.</P> <P><CODE>| inputlookup bank_statement | join type=outer key [search index=treasury sourcetype="treasury_wss_ebs" | regex path="ARCHIVE|ERROR" | regex path!="SWIFT" | eval mtime=round(strptime(modtime, "%a %b %d %H:%M:%S %Y")) | eval tz=strftime(now(),"%z") | eval offset=tonumber(tz/100) | eval eastern_time=mtime+(offset*60*60) | eval time=strftime(eastern_time, "%b %d %H:%M:%S %Y") | eval x=split(path,"/") | eval c=mvcount(x)-1 | eval filename=mvindex(x,c) | rex field=filename "^(?&lt;bank&gt;[^_]+)" | where bank!=filename | eval y=split(filename,"_") | eval type=mvindex(y,2) | eval x=mvindex(y,3) | rex field=x "^(?&lt;location&gt;[^\d]+)" | eval location=if(isnull(location),"-",location) | eval key=bank.type.location]</CODE></P> Wed, 23 Oct 2013 15:21:15 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-join-command-Usage-join-subsearch/m-p/111667#M29259 jeffreygaraygay 2013-10-23T15:21:15Z Re: Error in 'join' command: Usage: join ()? [subsearch] https://community.splunk.com/t5/Splunk-Search/Error-in-join-command-Usage-join-subsearch/m-p/111668#M29260 <P>Make sure the ENTIRE search is on a single line within the macros.conf file. Line breaks will kill this quite quickly.</P> Wed, 23 Oct 2013 15:40:46 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-join-command-Usage-join-subsearch/m-p/111668#M29260 alacercogitatus 2013-10-23T15:40:46Z