I am trying to join two sourcetypes with a common field (ID). The problem occurs when I tried to limit one source to today's indexed data. If I execute the search in “fast mode” it applies index-time filter to both sources, but if I execute it in “verbose” it applies correctly to only one source. It works in both modes without index-time filter.
Search example over the last month:
(sourcetype=source1 _index_earliest=-d@d _index_latest=now) OR (sourcetype= source2) | stats first(fieldsource1), first(field source2) by ID
Splunk Enterprise discovers fields other than default fields and fields explicitly mentioned in the search string only when you:
run a non-transforming search in the Smart search mode.
run any search in the Verbose search mode.
transforming search: A type of search command that orders the results into a data table. Transforming commands "transform" the specified cell values for each event into numerical values that Splunk Enterprise can use for statistical purposes. Searches that use transforming commands are called transforming searches.
Transforming commands include chart, timechart, stats, top, rare, contingency, and highlight.
So I'd recommend you use a rex command to extract the fields you want, and test abd see if that works. If so, you could then permanently set it via EXTRACT's in the sourcetype's transforms.conf file.
I am not sure if you set the search mode to smart in the GUI if that will work, but the way I suggest is more efficient for you long-term.