The two queries I believe are similar but still i get very different number of results. I have changed the subsearch and join maxout in limits.conf. "productId" is the only common filed across both tables
sourcetype=all_review earliest=01/01/2012:0:0:0 latest=12/31/2012:23:59:59
| JOIN type=inner productId [SEARCH sourcetype=categories] | where pCategory="Movies"
18000 results returned
sourcetype=all_review earliest=01/01/2012:0:0:0 latest=12/31/2012:23:59:59
| JOIN type=inner productId [SEARCH sourcetype=categories pCategory="Movies"]
221,123 results returned.
I feel a subsearch/join maxout is hard coded in splunk. I need to find a alternative to join here.
... View more