I am solution architect for an operator and I am evaluating splunk for the organization, currently i trying to do the following: I have a log file that contains the following information: Date,Time, Request Type, XML Message For example: 2010-07-22 09:10 Sent <Employee_INFO_REQ><EMP_ID>54634</EMP_ID></Employee> 2010-07-22 09:10 Received <Employee_INFO_RES><EMP_ID>54634</EMP_ID><EMP_NAME><EMP_NAME><EMP_SALARY></EMP_SALARY><EMP_Position></EMP_Position><Employee_INFO_RES> I am extracting the following fields: date(2010-07-22), time(09:10), Request Type (Send), Message Type (Employee_INFO_REQ) If I a am searching for transactions related to a specific employee it's simple as I could search using the EMP_ID value and this will return all relevant transactions. But for situations as the below: 2010-07-19 07:15 Sent <Employee_INFO_REQ><EMP_ID>23</EMP_ID></Employee> 2010-07-19 07:15 Received <error>E245 Employee not found</error> If i search using the emp_id only then only the request shall be displayed, but corresponding error response shall not be displayed. I am wondering if I could search using the emp_id and if the following event is an error and same time then also display it in the search results. I have tried using joins and sub queries but they did work Join using the time: search source="src" emp_id="23" | join type=inner date_time [ search source="src" | where message_type="error" | fields + date_time ] Kindly note that each of these command by itself returns correct data, but the join for some reason does not work. ... View more