Hello,
I found that when I use subsearch or join command to join data,
I can't make splunk to return the complete result (comparing to the join result by ourselves)
Can anyone help me about this? Thanks!
Here is my test data:
Input:
ab_data(1000 rows, fields: fa, fb, timestamp): http://paste.plurk.com/show/272467/
ac_data(1000 rows, fields: fa, fc, timestamp): http://paste.plurk.com/show/272469/
reference join result (226 rows, join by field fa): http://paste.plurk.com/show/272470/
My search command used:
Subsearch (only 23 rows returned): index="test_join_ac" [ search index="test_join_ab" | fields fa ]
Join (no matching result returned): index="test_join_ac" | join type=inner max=0 fa [ search index="test_join_ab" ]
... View more