I have 2 queries and joining it with "Join" using the common field "SessionID". With the below query I'm just getting the results if there are results from both the search. If there is no result ...
See more...
I have 2 queries and joining it with "Join" using the common field "SessionID". With the below query I'm just getting the results if there are results from both the search. If there is no result for either the parent search or the sub search the result is not getting printed. For example if there is no LogoutTime available from the sub search, the results of parent search is not getting printed and. Is there any way to achieve the desired result. index = test "testrequest" | rex "(?:.+email\=)(?<Email>[a-zA-Z0-9_\-\@\.]+)" | rex "(?:.+trasactionId\=)(?<TransactionID>[a-zA-Z0-9-]+)" | rex "(?:.+TransactionTime\=)(?<LoginTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+Status\=)(?<Status>\w+)" | rex "(?:.+TimeTaken\=)(?<TimeTaken>\d+)" | rex "(?:.+\+\+)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID | join SessionID [search index = test "testrespone" | rex "(?:.+TransactionTime\=)(?<LogoutTime>[a-zA-Z0-9\s:]+EDT)" | rex "(?:.+SessionId\=)(?<SessionID>[a-zA-Z0-9-_:@.]+)(?:\:Status)" | table SessionID,LogoutTime] | table Email,TransactionID,LoginTime,Status,TimeTaken,SessionID,LogoutTime