Why does my query blow-up in size with a join?
I have a query which without a join (for further analysis) runs in 2MB with 200K events. I added a metadata inner join on hostname (or so I think...) to add two new fields to the output for timechat bucketing. Splunk now tells me I'm using 500Mb with 200K events.
Something is messed up. I don't speak splunk debug... any easy ideas on what might be going on?
also, would converting this metadata from a search index to a lookuptable increase performance?
↧