Hi experts,
I try to combine a normal search with a data model without the JOIN operator, because of the slow processing speed and the subsearch result limitation of 50.000 results per search.
I read in the .conf 2016 session by Nick Mealy (https://conf.splunk.com/files/2016/slides/let-stats-sort-them-out-building-complex-result-sets-that-use-multiple-source-types.pdf) that this not possible because the data model command is a generating command. 😞
Does anybody has a solution or face the same problem? I think it is really important to combine a data model and normal searches in a efficient way.
Kind regards,
Christopher
... View more