So, if I understand you correctly, you get results from the first part of the search over 14 days without the join, but you are now saying that the full search over 14 days returns no resuts?

The search is 3 parts

1. The base tstats from datamodel
2. The join statement
3. Aggregations based on information from 1 and 2

So, run the second part of the search

| from inputlookup:incident_review_lookup 
| eval _time=time 
| stats earliest(_time) as review_time by rule_id

Then if that gives you data and you KNOW that there is a rule_id that is common to both parts 1 and 2, then it is the 3rd part of the search that is does not have the right fields available.

The way for you to diagnose this is to gradually build up the search, adding each PIPE section to the search to understand what is causing the data to disappear.

when i run the first part i got result and also for the second part but when i run them together i got no data

like that:

| tstats `summariesonly` earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations` | join rule_id [| from inputlookup:incident_review_lookup | eval _time=time]

i think there is a problem in the join 

So if part 1 and part 2 are successful in their own right, then the issue is either

1. the field rule_id is not in the first data set
2. the field rule_id is not in the incident_review_lookup lookup
3. there are no common instances of rule_id in both data sets

14 days

The query seems to be getting time in the join statements. If you run just this part of the query - what time range of data do you get back?

| tstats `summariesonly` earliest(_time) as _time from datamodel=Incident_Management.Notable_Events_Meta by source,Notable_Events_Meta.rule_id | `drop_dm_object_name("Notable_Events_Meta")` | `get_correlations`

it returned data for any time range i specify, especially 14 days that's what i want it returned data too so i think the problem with joining.

Yes, - the join is doing calculations with time taken from the lookup for each rule_id. It appears to be calculating review times based on those items found in the 14 day search and then looking for amount of time taken to review (ttt=review_time-_time).

It would seem that is the intention of the search, that you will see data going back more than the search window, as it appears that it is looking for activity in the last 14 days and then trying to find data about how long the incident has taken to review, which of course will have to look back to when the rule was originally triggered.

So, is there actually a problem?