When I try to join three sourcetypes on CommonField, I don't get all the fields to populate in a table.
Example:
sourcetype1: CommonField, Field1, Field2, Field3
sourcetype2: CommonField, FieldX, Field Y, Field Z
sourcetype3: CommonFIeld, FieldA, FIeldB, Field C
Query:
source=data* | transaction CommonField keepevicted=true | table Field1, FieldX, FieldY, FieldA, FieldC
It does not populate all fields in the table. How can I join three sourcetypes on CommonField, and once joined, I can search as if each joined event has all those fields?
Thanks in advance!
↧