I have two query tables table 1 index="k8s_main" namespace="app02013" "EConcessionItemProcessingStartedHandler.createRma PH successfully created RMA" NOT [search index="k8s_main" namespace="app02013" "NonCustomerOrderShippingLabelGeneratedEventsUtil.processShippingLabelEvent Successfully published" | fields LPN]
| rex "LPN\": \"(?<LPN>[^,]+)\"\,"
| rex "location\": \"(?<location>[^,]+)\"\,"
| rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\,"
| rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\,"
| dedup orderLineId
| eval LPN = replace(LPN, "\\[|\\]", "")
| eval location = replace(location, "\\[|\\]", "")
| eval orderNumber = replace(orderNumber, "\\[|\\]", "")
| eval orderLineId = replace(orderLineId, "\\[|\\]", "")
| table LPN location orderNumber orderLineId
table 2 index="k8s_main" namespace="app02013" "Published successfully event=[order-events-avro / com.nordstrom.customer.event.OrderLineReturnReceived]" ECONCESSION
| rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\,"
| rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\,"
| dedup orderLineId
| eval orderNumber = replace(orderNumber, "\"", "")
| eval orderLineId = replace(orderLineId, "\"", "")
| table orderNumber orderLineId
here is my join query: index="k8s_main" namespace="app02013" "EConcessionItemProcessingStartedHandler.createRma PH successfully created RMA" NOT [search index="k8s_main" namespace="app02013" "NonCustomerOrderShippingLabelGeneratedEventsUtil.processShippingLabelEvent Successfully published" | fields LPN]
| rex "LPN\": \"(?<LPN>[^,]+)\"\,"
| rex "location\": \"(?<location>[^,]+)\"\,"
| rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\,"
| rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\,"
| dedup orderLineId
| eval LPN = replace(LPN, "\\[|\\]", "")
| eval location = replace(location, "\\[|\\]", "")
| eval orderNumber = replace(orderNumber, "\\[|\\]", "")
| eval orderLineId = replace(orderLineId, "\\[|\\]", "")
| table LPN location orderNumber orderLineId
| join left=L right=R where L.orderLineId = R.orderLineId [search index="k8s_main" namespace="app02013" "Published successfully event=[order-events-avro / com.nordstrom.customer.event.OrderLineReturnReceived]" ECONCESSION
| rex "orderLineId\": \"(?<orderLineId>[^,]+)\"\,"
| rex "orderNumber\": \"(?<orderNumber>[^,]+)\"\,"
| dedup orderLineId
| eval orderNumber = replace(orderNumber, "\"", "")
| eval orderLineId = replace(orderLineId, "\"", "")
| table orderNumber orderLineId]
Each table returns unique row. But the result of the above query returns less data. Please help to find the problem.
... View more
