Splunk Search

Error in 'join' command: Usage: join ()? [subsearch]

jeffreygaraygay
Explorer

I get the error "Error in 'join' command: Usage: join <options> (<join-fields>)? [subsearch]" when running the following search within a macro but it runs fine and produces desired results if i run it in a regular search without encasulating it inside a macro so it means that the main and subsearches inside the join command are working fine. Any help will be appreciated.

| inputlookup bank_statement | join type=outer key [search index=treasury sourcetype="treasury_wss_ebs" | regex path="ARCHIVE|ERROR" | regex path!="SWIFT" | eval mtime=round(strptime(modtime, "%a %b %d %H:%M:%S %Y")) | eval tz=strftime(now(),"%z") | eval offset=tonumber(tz/100) | eval eastern_time=mtime+(offset*60*60) | eval time=strftime(eastern_time, "%b %d %H:%M:%S %Y") | eval x=split(path,"/") | eval c=mvcount(x)-1 | eval filename=mvindex(x,c) | rex field=filename "^(?<bank>[^_]+)" | where bank!=filename | eval y=split(filename,"_") | eval type=mvindex(y,2) | eval x=mvindex(y,3) | rex field=x "^(?<location>[^\d]+)" | eval location=if(isnull(location),"-",location) | eval key=bank.type.location]

Tags (2)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Make sure the ENTIRE search is on a single line within the macros.conf file. Line breaks will kill this quite quickly.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...