Join query return weird result. Sometime its pull correct result & if I execute the same query after 2 mins. Some of the values are not correct
I have two Indexes. The scenario is to filter out the data that is common in both indexes basis of "ticketnumber" & pull out only those tickets where MoveIndate is greater than createddate
IndexA is having these columns ticketnumber, createddate, status
IndexB is having ticketnumber,MoveIndate,assignmentgroup.
Output of the query is not consistent all the time. Sometimes, all data fetched in the attributes & sometime time - createddate & status are coming as blank.
While these attributes are coming as blank in the statistics (table), I checked the values in the "Events" & and found that data is always available in the "Events"
I am not sure - how to troubleshoot this. Kindly help me to resolve this issue as I am stuck on this. Let me know, if the join is not correct.
My Query:
index=IndexA
| dedup ticketnumber
| join type=inner ticketnumber
[ search index=IndexB ]
| eval Move_Indate= strptime(MoveIndate , "%Y-%m-%d")
| eval created_date_= strptime(createddate, "%Y-%m-%d")
| where (MoveIndate >createddate)
| table ticketnumber,createddate,status,MoveIndate,assignmentgroup
... View more