Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Whats the difference between join command sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whats the difference between join command search command while using subsearch? Can someone explain with scenarios please.
So I am looking to join results of 2 searches and as I can see on docs.splunk there are various ways to join
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Join
I am looking for difference between join and search command specially. Can someone elaborate please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no as such relation with join and search command but yes you can use search command in subsearch to retrieve events .
You do not need to specify the search command at the beginning of your search criteria.
When the search command is not the first command in the pipeline, the search command is used to filter the results of the previous command and is referred to as a subsearch.
Lets try an example:
Try run this anywhere search:
index=_internal|fields host source|join host [search index=_internal|fields host sourcetype]
Here you are joining two indexes i.e. _internal by the common/primary field host and returning the events with fields host,source,sourcetype
but if you try to run this search without search command:
index=_internal|fields host source|join host [index=_internal|fields host sourcetype]
it will give an error as Unknown search command 'index' so the first command in a subsearch must be a generating command such as search, eventcount, or tstatsetc. to retrieve events .
Hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @varad_joshi,
if you find this useful then please accept the answer and do upvote.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Jogin command allows you depends on a field to bring two groups of search results together.
Example: search one have a result with the field IP-address and in the second search the results have a field IP-address, too.
If in both results the value of IP-adress equals the join will bring both result events together.
Result 1: IP-Adresse =192.168.1.1 and result 2 IP-address 192.168.1.1 will be joined.
Result 1: 182.168.1.2 and Result 2: 192.168.1.1 will Not joined.
Hope this helps
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
