Thanks for your response.
Please see my comments inline
Avoid using join. Instead, search across all the indexes and sources at once:
(index=idx1 source=ab1 "Txn Number" ) OR (index=lookup1 source=abc Txn) OR ....
We will try out above suggestion.
If you have an actual lookup, don't put it in an index, put it in a lookup table.
We are not allowed to use lookup thus indexed it.
-- The table command in line 2 does not accomplish anything in your search; remove it.
-- The syntax you show is broken - where is the final ] for the first join?
-- The rex command in line 4 does not actually extract any fields, so it does nothing; remove it.
Please refer the new Query
In line 5: first, you are searching for the string "Txn" plus a field named ID with the value within the parentheses. Second, you should combine this search with earlier searches if possible, particularly for fixed strings. Also, I assume that this search is embedded in a dashboard, since you are using a token?
Earlier was dummy query. I have updated the actual query. Plesae suggest on this to improve performance.
... View more