https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263855#M6818 <P>Sorry i think i stated the question incorrectly.</P> <P>In the above search i'm searching 2 different indexes. One index called log4net contains a field called level. The other index is called wineventlog and contains a field called Type. The problem in the search, for anyone reading it, they have no idea that field type belongs only to the windows event log and field level belongs only to log4net. Is there anyway to make the search more implicit on which index these fields come from in the above search? example can you do something like this</P> <PRE><CODE> index="log4net" OR index="wineventlog" AND wineventlog:Type="Error" OR log4net:level="Error" earliest=-1h latest=now </CODE></PRE> Tue, 06 Dec 2016 17:38:08 GMT tragiccode 2016-12-06T17:38:08Z https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263853#M6816 <P>I am new to Splunk but i have a search query that queries more than 1 index and each index has unique fields on it. Is there a way to easily namespace the fields to a specific index in my search to readers can easily see that the Error field belongs to the windows eventlog index and the level field belongs to the log4net index?</P> <PRE><CODE>index="log4net" OR index="wineventlog" AND Type="Error" OR level="Error" earliest=-1h latest=now </CODE></PRE> <P>Right now the reader of the search has no way to know which field exists in what index.</P> Tue, 06 Dec 2016 15:11:14 GMT https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263853#M6816 tragiccode 2016-12-06T15:11:14Z https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263854#M6817 <P>Morning tragiccode,</P> <P>The default fields for each event that are returned in a search are as follows:<BR /> <CODE>host, index, linecount, punct, source, sourcetype, splunk_server, timestamp</CODE><BR /> and the default selected fields are:<BR /> <CODE>host, source, sourcetype</CODE></P> <P><CODE>index</CODE> is included as a default but <STRONG>not selected</STRONG>. </P> <P>Therefore, do you have a specific output you were looking for?</P> Tue, 06 Dec 2016 16:29:20 GMT https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263854#M6817 adamsaul 2016-12-06T16:29:20Z https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263855#M6818 <P>Sorry i think i stated the question incorrectly.</P> <P>In the above search i'm searching 2 different indexes. One index called log4net contains a field called level. The other index is called wineventlog and contains a field called Type. The problem in the search, for anyone reading it, they have no idea that field type belongs only to the windows event log and field level belongs only to log4net. Is there anyway to make the search more implicit on which index these fields come from in the above search? example can you do something like this</P> <PRE><CODE> index="log4net" OR index="wineventlog" AND wineventlog:Type="Error" OR log4net:level="Error" earliest=-1h latest=now </CODE></PRE> Tue, 06 Dec 2016 17:38:08 GMT https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263855#M6818 tragiccode 2016-12-06T17:38:08Z https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263856#M6819 <P>tragiccode,</P> <P>I do not know of a way to do what your example is asking but you can quickly help the user understand which <CODE>index</CODE> they come from by how you present the results. </P> <P>Example, appending a <CODE>table</CODE> command to the end of your existing search:<BR /> <CODE>index="log4net" OR index="wineventlog" AND wineventlog:Type="Error" OR log4net:level="Error" earliest=-1h latest=now | table host source sourcetype index _raw</CODE></P> Tue, 06 Dec 2016 17:48:54 GMT https://community.splunk.com/t5/Knowledge-Management/Is-it-possible-to-namespace-fields-to-a-specific-index/m-p/263856#M6819 adamsaul 2016-12-06T17:48:54Z