I want to use join. However, the fields to be compared are fields called _time and b. However, when join _time, b [sub_search] is performed, the date is output for only one day. What should I do?
 
		
		
		
		
		
	
			
		
		
			
					
		OK. It's clear that you have SQL background and try to implement the same logic in SPL 😉
It doesn't work this way. (or rather you can make it work this way but you usually shouldn't)
You search from the same index and group by mostly the same fields so you do the same work at least twice (not to mention that subsearches have their limits so you don't like subsearches).
Again - show us what your events look like. And tell us what you want to achieve as in "what effect you want to get".
As in the initial question, I want to derive a result in which the _time and b fields match.
The spl attached below is also a field created in that context.
 
		
		
		
		
		
	
			
		
		
			
					
		OK. Let me explain why I'm asking by a simple (albeit a bit limited, I admit) analogy.
Let's assume we're talking about cars and you've only ever driven a particular brand of car which requires removal of the wheel arch just to get access to the headlight bulb. So you suddenly bought a modern car with LED headlamp and come to the forums to ask "how to remove the wheel arch so I can replace my headlight bulb?". And we're telling you that this is no longer that car you drove for many years and you don't have to remove the wheel arch. And furthermore, it's a LED lamp so you have no bulbs to change.
So in that case the problem to resolve is not "how to remove the wheel arch" but "what to do about dim headlight". Which is a completely different problem.
In your case, you're trying to get some report from your events - that's your basic need. Not the join command in itself. The join command is just a tool or a step in the way (just like removing that wheel arch).
 
		
		
		
		
		
	
			
		
		
			
					
		1. Tell us a bit more about your data (show some sample events; obfuscated/anonymized if you have sensitive information in them).
2. Be more precise about what you want to achieve, not how you want to do it.
And most importantly:
3. There are usually better ways to correlate data than by using join. Often the way to go is to use the "stats" command
index=si-index-cbm type IN ("br-flag") 
| stats values(AMP) as AMP by _time, train_number, car_number, car 
| join type=left left=L right=R where L._time=R._time L.car_number=R.car_number
    [| search index=si-index-cbm type IN ("br-cur") 
    | stats avg(data) as data by _time, train_number, car_number, car, key, ip, name, type, date]or
index=si-index-cbm type IN ("br-flag")
| stats values(AMP) as AMP by _time, train_number, car_number, car
| join _time, car_number
[| search index=si-index-cbm type IN ("br-cur")
| stats avg(data) as data by _time, train_number, car_number, car, key, ip, name, type, date]
I want to use those codes, but it doesn't work
