All,
I have a join on the two sourcetypes setup like this ->
sourcetype="alog" -> id_number
sourcetype="blog" -> id
This is what my join looks like
sourcetype="alog" id_number=* | eval id=id_number | join id[ search sourcetype="blog" id=*| fields id]
For some reason, this join is only giving me results/fields that belong to alog
.
What if I want the join to also give me all fields from blog
whereever there was a match ?
I thought Splunk supported outer joins.
Any clues ?
You need to specify join type=outer
Update
Just noticed - the only field you're returning from the subsearch is id : fields id
So the only fields you'll see will come from the main search.
Don't limit the fields in the subsearch
that did not seem to do the trick.
It still gave me only everything on the left that matched.