Hi All,
I am looking for options to use to join two searches which has a common field. I have already tried the JOIN command which has more performance impact. Below is the query that I use now.
Search A returns the field TxnId and Queue
Search B returns the minimum and maximum times
Search A | fields TxnId,Queue | join TxnId [ search B or C | stats min(_time) as start_time, max(_time) as end_time by TxnId | eval total_time = end_time - start_time] | table total_time,Queue
Search A returns an average of 600+ events but the join takes more than 60 seconds to return the results.
Is there any other methods or commands which i can use to join these two searches?
Thanks in Advance
Regards
Murali
... View more