https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475095#M8179 <P>I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST.</P> <P>index=I1 ST=S1<BR /> index-I2 ST=S2, ST=S3,ST=S4,ST=S5</P> <P>Sourcetype= S2 to S5 belongs to same Index=I2</P> <P>Things I tried</P> <H1>1</H1> <P>(index=I1 OR index=I2) (ST=S1 OR ST=S2 OR ST=S3)<BR /> |fields </P> <P>Didnt worked</P> <H1>2</H1> <P>|multisearch<BR /> [search index=I1 ST=S]<BR /> [search index=I2 (ST=S1 OR ST=S2 ...]</P> <P>didnt worked</P> <H1>3 |multisearch</H1> <P>[search index=I1 ST=S]<BR /> [search index=I2 ST=S2]<BR /> [search index=I2 ST=S3]</P> <P>taking a lottt lottt time </P> <P>What am i missing here.. what is the best approach to join two different index and one index having multiple Sourcetypes?</P> Tue, 10 Sep 2019 18:09:07 GMT krishdeesplunk 2019-09-10T18:09:07Z https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475095#M8179 <P>I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST.</P> <P>index=I1 ST=S1<BR /> index-I2 ST=S2, ST=S3,ST=S4,ST=S5</P> <P>Sourcetype= S2 to S5 belongs to same Index=I2</P> <P>Things I tried</P> <H1>1</H1> <P>(index=I1 OR index=I2) (ST=S1 OR ST=S2 OR ST=S3)<BR /> |fields </P> <P>Didnt worked</P> <H1>2</H1> <P>|multisearch<BR /> [search index=I1 ST=S]<BR /> [search index=I2 (ST=S1 OR ST=S2 ...]</P> <P>didnt worked</P> <H1>3 |multisearch</H1> <P>[search index=I1 ST=S]<BR /> [search index=I2 ST=S2]<BR /> [search index=I2 ST=S3]</P> <P>taking a lottt lottt time </P> <P>What am i missing here.. what is the best approach to join two different index and one index having multiple Sourcetypes?</P> Tue, 10 Sep 2019 18:09:07 GMT https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475095#M8179 krishdeesplunk 2019-09-10T18:09:07Z https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475096#M8180 <P>Hi, <BR /> You could use the <STRONG>| join</STRONG> command to achieve that result. <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join</A></P> <P>Alternatively, you could also have a look at *<EM>| append *</EM> command to achieve similar results based on your use case.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Append">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Append</A></P> Tue, 10 Sep 2019 19:57:28 GMT https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475096#M8180 mguhad 2019-09-10T19:57:28Z https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475097#M8181 <P>@mguhad Thanks for the Answer.<BR /> Using join will be very costly for this search i guess.. let me try</P> <P>in Index 2 i have 8 different sourcetypes </P> Tue, 10 Sep 2019 20:31:28 GMT https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475097#M8181 krishdeesplunk 2019-09-10T20:31:28Z https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475098#M8182 <P><CODE>(index=I1 sourcetype=S1) OR (index=I2 (sourcetype=S2 OR sourcetype=S3 OR sourcetype=S4 OR sourcetype=S5))</CODE></P> Tue, 10 Sep 2019 21:03:30 GMT https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475098#M8182 jacobpevans 2019-09-10T21:03:30Z https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475099#M8183 <P>perhaps you could to to one index, say the one with 8 sourcetypes...search it <CODE>index=1 sourcetype=s1 OR sourcetype=s2.... OR sourcetype=s8</CODE> <BR /> once you get that data, <STRONG>tag</STRONG>* it or create an <STRONG>eventtype</STRONG> that holds that data &amp; thus will be able to combine the two indexes easily now that you have taken care of the index with many sourcetypes by assigning a <STRONG>tag</STRONG> or <STRONG>eventtype</STRONG> to the index with many sourcetypes</P> Wed, 11 Sep 2019 21:03:34 GMT https://community.splunk.com/t5/Knowledge-Management/Joining-Multiple-index-and-sourcetypes/m-p/475099#M8183 mguhad 2019-09-11T21:03:34Z