Been working on a proof of concept that seems to be eluding me. From my work with SQL I would expect that an Inner Join would return the same results regardless of which search is the primary and which is the sub. However, this doesn't seem to be the case. Using the first query returns approximately 600 events, whereas if the searches are flipped to the second query it returns more than 3000 events. Am I missing something or is this just an oddity of how joins really work in Splunk?
Query 1 - Approximately 600 results.
sourcetype=mcafee:protection signature=7058
| join type=inner host [search sourcetype=XmlWinEventLog:Security]
| table host, signature_name, Name
Query 2 - More than 3000 results.
sourcetype=XmlWinEventLog:Security
| join type=inner host [search sourcetype=mcafee:protection signature=7058 ]
| table host, signature_name, Name
I have tried both constraining and opening the max values returned, constraining the time, and specifying specific fields in each query to no avail.
... View more