Hi. I have this data:
Row cTime pTime uName connectionId
1 23:10:54 22:34:08 user1 user1Connection1
2 22:34:58 21:02:53 user2 user2Connection2
3 21:02:53 20:34:34 user1 user1Connection1
4 20:34:34 19:23:34 user2 user2Connection2
The cTime column represents a time of connection, with the previous connection time in the pTime column, the name of the user who made the connection in the uName column, and the Id of the connection in the connectionId column.
In order to get some parts of the table populated, I have to do a subsearch, because not all the data I need is in one entry, but can be found in another entry by means of linking them together with **connectionId**
I do a search like
index=* "...." | join connectionId [ search "connection success" | reverse | streamstats current=f last(connectionTime) as pTime | reverse | fields pTime, connectionId ]
The problem is, the pTime cells in row 1 are being populated by the pTime cells in row two, when there should not be any data from row 2 showing up at all by virtue of the `join connectionId` command. It should only be `join`ing data with a **connectionId** value of "user1Connection1"... but this is not happening.
Am I doing the `join` wrong? I can't find anything in the docs that says I am. Is there a better way to link the two entries together?
Thanks for your help
↧