Spent about a week on and off puzzling over a Splunk problem where the results from a subsearch in a join always turned out too low...
Until I realized that the subsearch can sometimes have several results, and the default is to only return the first row from a join, unless it's explicitly being called with the max=0 parameter.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!