I am trying to load txids from a lookup file and, for each txid, get the earliest and latest times to print the information in a table.
Here are the steps I have tried so far:
First, I loaded txids from a lookup file using the following query:
| inputlookup cached_txids.csv
Next, I picked one of the txids from the list and verified that the information is showing up:
| inputlookup cached_txids.csv
| search txid="<sample_txid>"
Then, I combined the first two steps using JOIN with the goal of printing the txids along with their start and end times:
| inputlookup cached_txids.csv
| join type=inner txid [search index=main | stats earliest(_time) as start_time latest(_time) as end_time by txid]
| table txid start_time end_time
However, this ^ just prints the txids but not their start and end times.
Finally, I attempted to use a MAP query, but found it to be very slow on a large scale of data:
| inputlookup cached_txids.csv
| map search="search index=main txid=$txid$ | stats earliest(_time) as start_time latest(_time) as end_time by txid" maxsearches=10000
While the MAP command works, it is not efficient for large data sets.
I am seeking help to find a more efficient way to achieve my goal of using JOIN. Any suggestions would be greatly appreciated!