I am trying to join two search results with the common field project.
Here is an example:
First result would return for Phase-I
project sub-project processed_timestamp
p1 sp11 5/12/13 2:10:45.344 PM
p1 sp12 5/13/13 12:11:45.344 PM
p1 sp13 5/13/13 2:10:45.344 PM
p2 sp21 6/23/13 12:10:45.344 PM
p2 sp22 6/24/13 12:10:45.344 PM
p3 sp31 7/23/13 12:10:45.344 PM
p3 sp32 7/24/13 12:10:45.344 PM
p4 sp41 7/23/13 12:10:45.344 PM
project sub-project processed_timestamp p1 sp11 6/12/13 2:10:45.344 PM p1 sp12 6/13/13 12:11:45.344 PM
p2 sp21 7/23/13 12:10:45.344 PM p2 sp22 7/24/13 12:10:45.344 PM
Here is the output I am looking for
project phaseI_start phaseI_end phaseII_start phaseII_end
p1 5/12/13 2:10:45.344 PM 5/13/13 2:10:45.344 PM 6/12/13 2:10:45.344 PM 6/13/13 12:11:45.344 PM
p2 6/23/13 12:10:45.344 PM 6/24/13 12:10:45.344 PM 7/23/13 12:10:45.344 PM 7/24/13 12:10:45.344 PM
p3 7/23/13 12:10:45.344 PM 7/24/13 12:10:45.344 PM
p4 7/23/13 12:10:45.344 PM 7/23/13 12:10:45.344 PM (has only one sub project so sametime applies to start and end)
I tried using transaction for each searches separately and used join as follows:
sourcetype="A"| transaction project |eval phaseI_start= ...|eval phaseI_end = .....| fields project, phaseI_start, phaseI_end| join project [search sourcetype="B"| transaction project |eval phaseII_start= ...|eval phaseII_end = .....| fields project, phaseII_start, phaseII_end]
I donot get any result back. However if I apply filter to get specific projects using "where like (project,"P1%") in both searches then it works. First search would return more than 10000 records and second would return about 5000.
Thanks,
Sanjay