Join not working properly in version 6.6.2
I am writing a simple query using join. But it doesn't seem to give the correct result.
Objective of query: To list the host names that are present in lookup but are not coming in the output of the query.
| inputlookup host.csv
| join type left host
[ search index = X sourcetype="ABC" earliest=-5m@m
| stats latest(_time) as _time latest(dvc) as dvc by host,sourcetype ]
| fillnull value=NULL dvc
| where dvc="NULL"
Either I am doing some silly mistake or Splunk is acting weird.
Would anyone be able to advise.
↧