I'm doing a join where I want to only get subsearch events that happened before the parent search event. Thus, I'm using: txnEnd | spath output=custID path=path | join custID [search txnStart | spath output=amount path=path] | table custID, amount Since txnEnd comes after txnStart , I'm using join's default usetime=true earlier=true . Whether or not I explicitly state these values, I am getting records on the table where txnStart happens after txnEnd (tested by getting the _time of each event and displaying the difference between them). Why doesn't Splunk only join on the earlier events? What can I do to make it so that txnEnd will only join with events from txnStart that happened before txnEnd ? Edit I thought I might mention that the same custID applies to multiple txnEnd s and multiple txnStart s. The two events do not have a unique ID that will tie them together, so I have to determine which txnStart belongs to txnEnd based off of which txnStart with the same custID happened the most recently before txnEnd . ... View more