I am building a table query to list down tickets against applications. Where tickets are stored in sourcetype 'a' and application names are stored in sourcetype 'b' with a common ID field
When time filter is all time, query works just fine. When time filter is changed to today or this week, i am not getting results. I think this is because there will be no events/new entries in sourcetype 'b' as it is a master table.
I would like to know if using 'join' for this scenario is correct or should i use some other method.
Note: Sourcetype 'a' will have daily events, sourcetype 'b' is static
↧
Joining sourcetype a with sourcetype b where sourcetype b is a reference table with no daily changes
↧