https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484880#M8674 <P>Hi,</P> <P>this can be done in multiple ways.<BR /> - append - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Append">https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Append</A><BR /> it appends the results from the subsearch to the mail search as events</P> <UL> <LI>appendcols - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Appendcols">https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Appendcols</A> it will add the columns from the subsearch to the main search. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on, without any relation.</LI> </UL> <P>you will get the better idea by going through the examples given on the reference sites.</P> <P>accept &amp; up-vote the answer if it helps</P> Mon, 02 Mar 2020 14:22:08 GMT gaurav_maniar 2020-03-02T14:22:08Z https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484878#M8672 <P>Can splunk search for different indexes that contain different fields, and present that data out in readable format?</P> <P>I am trying to use one search that looks in index A, for specific fields, then another search for index B, looking for different fields than are contained in index A.</P> <P>This is in an attempt to give out a daily report that can give us a single email showing us different tables on a single email of:</P> <P>cpu percentage<BR /> drive full percentage<BR /> status of an application (running/stopped)<BR /> etc.</P> <P>Or is there perhaps a way that splunk can merge separate reports into one, and email it out in the message body?</P> <P>I will continue looking, but any help is appreciated. thanks.</P> Mon, 02 Mar 2020 13:51:35 GMT https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484878#M8672 agentguerry 2020-03-02T13:51:35Z https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484879#M8673 <P>You can search both the indexes with OR.</P> <PRE><CODE>(index=indexA fieldA1=&lt;&gt; fieldA2=&lt;&gt;) OR (index=indexB fieldB1=&lt;&gt; fieldB2=&lt;&gt;) | table index, fieldA1, fieldA2, fieldB1, fieldB2 </CODE></PRE> Mon, 02 Mar 2020 14:08:30 GMT https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484879#M8673 manjunathmeti 2020-03-02T14:08:30Z https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484880#M8674 <P>Hi,</P> <P>this can be done in multiple ways.<BR /> - append - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Append">https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Append</A><BR /> it appends the results from the subsearch to the mail search as events</P> <UL> <LI>appendcols - <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Appendcols">https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Appendcols</A> it will add the columns from the subsearch to the main search. The first subsearch result is merged with the first main result, the second subsearch result is merged with the second main result, and so on, without any relation.</LI> </UL> <P>you will get the better idea by going through the examples given on the reference sites.</P> <P>accept &amp; up-vote the answer if it helps</P> Mon, 02 Mar 2020 14:22:08 GMT https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484880#M8674 gaurav_maniar 2020-03-02T14:22:08Z https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484881#M8675 <P>thanks i will look into these more. i do find that i can export a dashboard as pdf to email. that may work for us for our needs.<BR /> I believe that option will attach the pdf, but not plant the dashboard into the email body.</P> Mon, 02 Mar 2020 14:40:26 GMT https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484881#M8675 agentguerry 2020-03-02T14:40:26Z https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484882#M8676 <P>accept the answer that helped to close the question.</P> Thu, 05 Mar 2020 07:52:04 GMT https://community.splunk.com/t5/Splunk-Dev/can-multiple-indexes-be-searched-for-different-fields/m-p/484882#M8676 gaurav_maniar 2020-03-05T07:52:04Z