Hello,
I am using the following search to parse 2 indexes since I want to combine the results from both indexes based on common field "email". I am running this search on my local Splunk instance and both indexes are uploaded CSV. I have configured limits.conf file to handle large dataset. I get different output for Clicked_link and delivered_email when I use the OR operator in the Join versus when I just use either of them I get the correct output. Am I missing something here. Why is the OR operator trimming output result. I see 0 output for bunch of tables when normally it is populated with some number.
index=IndexA
| join type=inner email [ search index=IndexB ( event=delivered OR event=click ) | dedup email event | fields email, event ]
| stats count(eval('event'="delivered")) as Email_Delivered
count(eval('event'="click")) as Clicked_links
by Region, Division, Country, Location
| table Region, Division, Country, Location, "Email_Delivered" , Clicked_links
... View more