Spent about a week on and off puzzling over a Splunk problem where the results from a subsearch in a join always turned out too low...
Until I realized that the subsearch can sometimes have several results, and the default is to only return the first row from a join, unless it's explicitly being called with the max=0 parameter.

