[updated the question based on feedback]
I am trying to join events from these 2 log entries
Events of Type 1
dateTime policyNo timeTook
2018-06-18 10:43:43,316 85107204 3.327
2018-06-18 10:39:08,253 85107204 3.887
2018-06-18 10:43:05,993 85107204 3.698
Events of Type 2
dateTime policyNo timeTook
2018-06-18 10:43:43,307 85107204 3.3
2018-06-18 10:43:05,986 85107204 3.657
2018-06-18 10:39:08,246 85107204 3.864
using the join
index="xyz" RuleModule="BizRule" | rename timeTook as "Rule Response Time"| table dateTime, policyNo, "Rule Response Time" | join type=left usetime=true earlier=true max=1 policyNo [search index="xyz" client.xyz | fields policyNo customerNumber timeTook | rename timeTook as procTime] | fields dateTime, policyNo, "Rule Response Time", procTime
I get 3.3 for all the 3 events - whereas I am expecting the join to be unique. I also tried setting usetime, max settings for join (based on comments) but didn't help.
... View more