Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- subsearch join
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anything wrong with this join and subsearch? I know there are events which should match based on the 'cs_host' field. Not sure if the rename is confusing things, or my syntax is off slightly.
index=aaa sourcetype=o365 "*phish URLs*"
| rename zu as cs_host
| join type=inner cs_host [ | search index=bbb sourcetype="proxy_logs" | fields *] | stats count by cs_host
Appreciate any ideas.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.
So, if the matching results you are expecting are outside of the limits, they will not be returned.
Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:
(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's legal - but seems to be pointless
You're doing a | join, ostensibly to get more fields, and then immediately throw them all away with a | stats count by
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your syntax looks good to me. However remember the results are subject to limits.conf.spec:
from https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/SearchReference/Join :
Limitations on the subsearch for the join command are specified in the limits.conf.spec file. The limitations include the maximum subsearch to join against, the maximum search time for the subsearch, and the maximum time to wait for subsearch to fully finish. See Subsearches in the Search Manual.
So, if the matching results you are expecting are outside of the limits, they will not be returned.
Just as a suggestion, based on your search, I think this would give you the same results without the expense of a subsearch:
(index=aaa sourcetype=o365 "*phish URLs*" ) OR (index=bbb sourcetype="proxy_logs" | fields cs_host) |where zu=cs_host | stats count by cs_host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good spot. Sub search limitations. Its caught me out before and will do again I'm sure! If I switch the query around it works fine. Many thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
