HI All,
Please help me to debug the issue to join two searches based on common field.
I have two indexes which has values which can be matched and I want to get field_1, field_2 from first_access_log and field_3 and field_4 from node_access logs.
first_access_logs has one trackingId which has one part , we call that nodeTrackingId
node_access_log has node tracking id but that is defined in the src_ip field.
if I use the inner search to combine two results, the query works but I do not get fields from both search in the final output but only the field from node_access_logs
index=node_access_logs "search/api/another?value=&id"
[ search index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"
| rex field=tracking_id ":(?<nodeTrackingId>.+)"
| rename nodeTrackingId as src_ip| fields src_ip
]
However, when I use this as join query ( I tried by removing type=inner as well from the command ) it does not return any result
index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"
| rex field=tracking_id ":(?<nodeTrackingId>.+)"
| join type="inner" nodeTrackingId
[ search index=node_access_logs "search/api/another?value=&id"
| rename src_ip as nodeTrackingId
] | table field_1,field_2, field_3, field_4
Hi,
Could you please try the below search .
index=first_access_logs emp_id=472421 "14616113" "POST" "search/api/values"
| rex field=tracking_id ":(?<nodeTrackingId>.+)"
| join type="inner" nodeTrackingId max=0
[ search index=node_access_logs "search/api/another?value=&id"
| rename src_ip as nodeTrackingId
|fields nodeTrackingId,* ]
| table field_1,field_2, field_3, field_4
Thanks Dindu for replying, I tried using the changes your suggested :
adding type="inner" and max=0
keeping the common field from the outer search ( nodeTrackingId) and rename the src_ip field from other search and also select all fields in the along with nodeTrackingId in the search in brackets
but this did not change the result
what's field_1,field_2, field_3, field_4
nodeTrackingId src_ip is not any field_X?