Search:
index="A" |dedup Id | table Id | join max=0 type=inner Id [search index="B" ]| stats count(Id)
When switching index A & B, I receive more results, but it still doesn't match all of the Ids.
After checking both indexes and doing analysis on the Ids, it was found that over 6000 Ids didn't join, even though they existed in each data set.
↧