Hi @Rak, probably the issue is that the subsearch used in the join command has more than 50,000 results and this limit gives you incomplete results. In addition there's an error in your search: it ...
See more...
Hi @Rak, probably the issue is that the subsearch used in the join command has more than 50,000 results and this limit gives you incomplete results. In addition there's an error in your search: it isn't useful to have a main search and then a seach command. At least the jin command is to avoid or to use when there isn't any other result, because it'0s very slow and resource consuming. So please to rethink your search following my approach: (index=testindex OR index=testindex2 source="insertpath" ErrorCodesResponse=PlanInvalid TraceId=*) OR (index=test ("Test SKU"))
| eval type=if(index="test","2","1")
| stats
earliest('@t') AS '@t'
values('@m') AS '@m'
values(RequestPath) AS RequestPath
dc(type) AS type_count
BY TraceId
| where type_count=2
| eval date=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%Y-%m-%d"), time=strftime(strptime('@t', "%Y-%m-%dT%H:%M:%S.%6N%Z"), "%H:%M")
| table time, date, TraceId, @MT,RequestPath I'm not sure if the check on the number of types is relevant or not. Ciao. Giuseppe