I have a join on two searches, from the first search, the data return is the same as the following table (equivalent of running this)
source="/home/pbarford/tmp/300913/resequencer/reseq01-application.2013-09-30.log" | search "Expiry" | rex "[nike.(? [0-9]{1,45})]" | rex max_match=20 "L[(? [0-9]{1,45})]" | fields eventid, seqno | table eventid, seqno
eventid, seqno
1 22
45
67
2 2
3 5
So I want is to take the eventid and seqno and join it to the next query. Problem is that a join on eventid "1", as shown above, is not being done. For eventid 2 & 3 the join is being done. I am assuming this is due to the fact that for 1 their are multi-values in the seqno column. What is the best way around this problem?
The full query is below
sourcetype="logtype1" | search "Expiry" | rex "[nike.(? [0-9]{1,45})]" | rex max_match=20 "L[(? [0-9]{1,45})]" | fields eventid, seqno | join eventid, seqno [ search sourcetype="logtype2" "Inserted" | rex "EventId: (? \d+)" | rex "SeqNo: (? \d+)" | rex "Duration: (? \d+)" | fields eventid, seqno, duration ] | table eventid, seqno, duration
... View more