I have esbetalog in JSON format and etaprd in RAW format and outer joined as with CUSTOMER_ORDER_NUMBER column
both has same CUSTOMER_ORDER_NUMBER data but etaprd data is not coming in result
etaprd can have one or more _raw event data
Sample query below,
index=esbetalog source=PRD (LINE_OF_BUSINESS_CD="R" OR LINE_OF_BUSINESS_CD="C") | rename .CUSTOMER_ORDER_NUMBER as CUSTOEMR_ORDER_NUMBER | join type=left CUSTOMER_ORDER_NUMBER [search index=etaprd source=PRD ] | table CUSTOMER_ORDER_NUMBER, ETA_FROM_TIME, ETA_TO_TIME, ARRIVECUSTOMERSTAMP, LINE_OF_BUSINESS_CD | sort ETA_FROM_TIME
↧