Re: Error when using append and join-- Search Fact...

kteng2024 · ‎11-03-2017

Hi ,

Below are the two queries for which I am trying to join the output of the both queries but I am facing an issue as Search Factory: Unknown search command 'index'.

First query

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute

Second query

index=apache* sourcetype=web_logs
host=cde OR host=wxy | table BClog

When I tried the both append and join it is not working .

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| join [ index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| append [ index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

niketn · ‎11-03-2017

@kteng2024, add search in the subquery and try.

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| append [ search index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Error when using append and join-- Search Factory: Unknown search command 'index'.

What's New in Splunk Observability - November 2025

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Are you a member of the Splunk Community?

Error when using append and join-- Search Factory: Unknown search command 'index'.

What's New in Splunk Observability - November 2025

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...