Solved: Re: Unable to Put Together Join Search

IRHM73 · ‎08-27-2015

Hi, I wonder whether someone may be able to help me please.

After reading the Splunk documentation I'm trying to put together a Join query with the following:

index="main" auditSource=*auth* auditType=LoginEntitlements detail.EmpRef=* 
  | rename detail.EmpRef AS REF
  |Join REF [Chris EI-GG]
  | stats count by REF

Where [Chris EI-GG] is the name of the saved search which I want to join to the above.

I've clearly done something wrong because I receive the error 'Unknown search command 'chris'.

Could someone perhaps explain to me please where I've gone wrong.

Many thanks and kind regards

Chris

chanmi2 · ‎08-27-2015

Hi, you may want to take a look at this answer
http://answers.splunk.com/answers/55715/joining-results-from-saved-searches.html
and try

join REF [| savedsearch "Chris EI-GG" ]

Hope this help

View solution in original post

chanmi2 · ‎08-27-2015

Hi, you may want to take a look at this answer
http://answers.splunk.com/answers/55715/joining-results-from-saved-searches.html
and try

join REF [| savedsearch "Chris EI-GG" ]

Hope this help

IRHM73 · ‎08-27-2015

Hi @chanmi2, thank you once more for helping me out with this. It is greatly appreciated and works fine.

Kind regards

Chris

Unable to Put Together Join Search

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Unable to Put Together Join Search

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability