Knowledge Management

Whats the difference between join command search command while using subsearch? Can someone explain with scenarios please.

varad_joshi
Communicator

So I am looking to join results of 2 searches and as I can see on docs.splunk there are various ways to join
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Join

I am looking for difference between join and search command specially. Can someone elaborate please?

0 Karma

493669
Super Champion

There is no as such relation with join and search command but yes you can use search command in subsearch to retrieve events .
You do not need to specify the search command at the beginning of your search criteria.
When the search command is not the first command in the pipeline, the search command is used to filter the results of the previous command and is referred to as a subsearch.
Lets try an example:
Try run this anywhere search:

index=_internal|fields host source|join  host [search index=_internal|fields host sourcetype]

Here you are joining two indexes i.e. _internal by the common/primary field host and returning the events with fields host,source,sourcetype
but if you try to run this search without search command:

index=_internal|fields host source|join  host [index=_internal|fields host sourcetype]

it will give an error as Unknown search command 'index' so the first command in a subsearch must be a generating command such as search, eventcount, or tstatsetc. to retrieve events .
Hope this helps!

493669
Super Champion

Hi @varad_joshi,
if you find this useful then please accept the answer and do upvote.
Thanks.

0 Karma

amielke
Communicator

The Jogin command allows you depends on a field to bring two groups of search results together.

Example: search one have a result with the field IP-address and in the second search the results have a field IP-address, too.
If in both results the value of IP-adress equals the join will bring both result events together.

Result 1: IP-Adresse =192.168.1.1 and result 2 IP-address 192.168.1.1 will be joined.
Result 1: 182.168.1.2 and Result 2: 192.168.1.1 will Not joined.

Hope this helps

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...