Re: Error when using append and join-- Search Fact...

kteng2024 · ‎11-03-2017

Hi ,

Below are the two queries for which I am trying to join the output of the both queries but I am facing an issue as Search Factory: Unknown search command 'index'.

First query

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute

Second query

index=apache* sourcetype=web_logs
host=cde OR host=wxy | table BClog

When I tried the both append and join it is not working .

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| join [ index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| append [ index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

niketn · ‎11-03-2017

@kteng2024, add search in the subquery and try.

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| append [ search index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Error when using append and join-- Search Factory: Unknown search command 'index'.

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Error when using append and join-- Search Factory: Unknown search command 'index'.

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25