Although, in many cases the best thing to do is to not think of it as a join, break it down as a) a disjunction (sourcetype=A some terms) OR (sourcetype=B some other terms) b) a little eval to smooth things out in small ways, c) a stats command to pair everything up in the exact same way a join would. the best practice for advanced splunk developers is really to use lookups or stats or transaction, and only actually use the join command as a last resort.
