Hi there,
I'm trying to join two indexes to get the id-value and ingest the data into main index. Here is my scenario:
SPL: index=idx_1
Output columns: log_id, log_desc, log_date, cust_id, rgn_id
SPL: index= idx_2 sourcetype=RGN_ST source=RGN
Output columns: rgn_id, rgn_name, rgn_type, lookup_name
SPL: index= idx_2 sourcetype=CUST_ST source=CUST
Output columns: cust_id, cust_name, cust_phone, lookup_name
Now, I'm running this query to get all the values. It shows the columns (log_id, log_desc, log_date, cust_id, rgn_id, rgn_name, rgn_type, cust_id, cust_name, cust_phone, lookup_name ) but does not populate the id-values coming from the idx_2 index. Please let me know if I'm doing anything wrong here.
index=idx_1
| dedup _raw
| join cust_id type=left
[ search index=idx_2 sourcetype=RGN_ST source=RGN lookup_name="customer" ]
| join rgn_id type=left
[ search index=idx_2 sourcetype=CUST_ST source=CUST lookup_name="region" ]
| fields - _raw
| fillnull value="-"
| table *
... View more