Error when using append and join-- Search Factory:...

kteng2024 · ‎11-03-2017

Hi ,

Below are the two queries for which I am trying to join the output of the both queries but I am facing an issue as Search Factory: Unknown search command 'index'.

First query

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute

Second query

index=apache* sourcetype=web_logs
host=cde OR host=wxy | table BClog

When I tried the both append and join it is not working .

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| join [ index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| append [ index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

niketn · ‎11-03-2017

@kteng2024, add search in the subquery and try.

index=apache* sourcetype=access_log
host=xyz OR host=abc | timechart
span=10m count as requests_per_minute
| append [ search index=apache*
sourcetype=web_logs host=cde OR
host=wxy | table BClog ]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Error when using append and join-- Search Factory: Unknown search command 'index'.

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Error when using append and join-- Search Factory: Unknown search command 'index'.

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!