While on a mission to eradicate 'join', I was showing someone how to replace a join statement with stats.
However, the use case was that the user wanted to know, in the result output, which fields had come from the joined data set and which had come from the parent, which can be done quite efficiently with
| join key
search index=b key=X
| rename * as joined_*, joined_key as key
In principle, it's simple to replace the join with a single stats, but the challenge is how to rename the fields that have come from index=b, so they can be identified by their field names.
Thanks for the suggestion,. I'd tried setting the fields to null in my original experiment, but for some reason the results were unpredictable and it was not delete fields - I didn't get time to investigate fully.