Join=left doesn't find Kvstore/Kvdump result when BACKUPKV is disabled #4
Description
Hi,
I 'm not sure if its an issue because i don't know the impact of this modification below.
My environment : Cluster Manager in v9.3.X splunk
- Kvstore exists and enabled
- The variable 'BACKUPKV' is disabled (0)
Result in 'splunkconf-backup' when the backup occur :
Backup KV local is missing.
I found your SPL search with a 'join=left' :
|makeresults | eval host="XXXX(HIDE)XXXX" | makemv delim="|" host| eval object=mvappend("etc","scripts","kvdump","kvstore","state"), type=mvappend("local","remote") | mvexpand host| mvexpand object | mvexpand type | join type=left host,type,object [search index=_internal source="splunkconf-backup.log" "splunkconf-backup" NOT "splunkconf-purgebackup" action=backup NOT result="running" | bin _time span=1d | stats count as nb,latest(_raw) , latest(result) as result , values(result) as list_result by type,host,object]
The request doesn't find any log about kvdump or kvstore, but they exist in the '_internal' index.
However, when i change the join to 'inner' :
|makeresults | eval host="XXXX(HIDE)XXXX" | makemv delim="|" host| eval object=mvappend("etc","scripts","kvdump","kvstore","state"), type=mvappend("local","remote") | mvexpand host| mvexpand object | mvexpand type | join type=inner host,type,object [search index=_internal source="splunkconf-backup.log" "splunkconf-backup" NOT "splunkconf-purgebackup" action=backup NOT result="running" | bin _time span=1d | stats count as nb,latest(_raw) , latest(result) as result , values(result) as list_result by type,host,object]
I find the correct results.
Can you tell me the impact if we modify this join ?
Best regards,
MAStephen