Since txnEnd comes after txnStart , I'm using join's default usetime=true earlier=true. Whether or not I explicitly state these values, I am getting records on the table where txnStart happens after txnEnd (tested by getting the _time of each event and displaying the difference between them).
Why doesn't Splunk only join on the earlier events? What can I do to make it so that txnEnd will only join with events from txnStart that happened before txnEnd ?
I thought I might mention that the same custID applies to multiple txnEnds and multiple txnStarts. The two events do not have a unique ID that will tie them together, so I have to determine which txnStart belongs to txnEnd based off of which txnStart with the same custID happened the most recently before txnEnd.