Hi!
I'm new to Streaming Expressions (running solr cloud 6.5.0) and I'm facing
a weird behaviour that I don't understand. I'm able to make a join and
retrieve results:
select(
innerJoin(
select(
search(iocs, q=ip:"10.153.9.175", fl="ip,indicator, type", sort="ip asc"),
indicator AS t1_indicator,
type AS t1_type,
ip AS t1_ip
),
select(
search(iocs2, q=ip:"10.153.9.175", fl="ip,indicator, type", sort="ip asc"),
indicator AS t2_indicator,
type AS t2_type,
ip AS t2_ip
),
on="t1_ip=t2_ip"
),
t1_indicator as t1_indicator,
t2_indicator as t2_indicator,
t1_type as t1_type,
t2_type as t2_type
)
The problem comes when I try to make the same query against all data:
select(
innerJoin(
select(
search(iocs, *q=*:**, fl="ip,indicator, type", sort="ip asc"),
indicator AS t1_indicator,
type AS t1_type,
ip AS t1_ip
),
select(
search(iocs2, *q=*:**, fl="ip,indicator, type", sort="ip asc"),
indicator AS t2_indicator,
type AS t2_type,
ip AS t2_ip
),
on="t1_ip=t2_ip"
),
t1_indicator as t1_indicator,
t2_indicator as t2_indicator,
t1_type as t1_type,
t2_type as t2_type
)
This time the result is:
{ "result-set": { "docs": [ { "EOF": true, "RESPONSE_TIME": 7 } ] } }
When I try to execute any of the searches alone (i.e. search(iocs, *q=*:**,
fl="ip,indicator, type", sort="ip asc")), I get lots of results.
Any help is really appreciated. Thanks,
Jordi
