Why does my search only return one event?

Ragate · ‎06-25-2018

I have joined two searches together. My search only returns one event that everything matches up but there are more than just one.
This is my search:

source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" | join type=left substr('context.custom.dimensions{}.LicenseKey',4,7) [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt"] | eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey',4,7) | where 'LicenseKeyID'='License Key Identifier' |

Any suggestions?

jkat54 · ‎06-28-2018

Can you provide us with a sample jsondump.txt and csv?

jkat54 · ‎06-25-2018

Change type=left to type=outer on the join.

Ragate · ‎06-25-2018

Did not work

jkat54 · ‎06-25-2018

Ok can you eval out the substring and use the field name in the join as opposed to the substring?

join type=outer fieldName

As opposed to

join type=outer substring(....

jkat54 · ‎06-25-2018

Like this

 source="C:\\Users\\ragate\\Desktop\\splunk\\LMCustomerRevLicense.csv" |eval LicenseKeyID=substr('context.custom.dimensions{}.LicenseKey',4,7)| join type=outer LicenseKeyID [search source="c:\\users\\ragate\\desktop\\splunk\\jsondump.txt]

Removed the where too

Ragate · ‎06-28-2018

Sorry for the late response but this did not work either.

Why does my search only return one event?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life