https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476698#M143374 <P>Hi mattfunk20,</P> <P>you need to get the unique identifier from both indexes and use it in the <CODE>stats by</CODE> clause. I assume that <CODE>dest_mac</CODE> and <CODE>mac_address</CODE> are theses fields, so try something like this:</P> <PRE><CODE>(index=Index1 sourcetype=Type1) OR (index=Index2) | fields field1 field 2 mac_address dest_mac | eval mac_address=replace(mac_address,"\W","") | eval mac_address=lower(mac_address) | rex field=dest_nt_host "(?[^.]+)." | eval dest_nt_host=lower(dest_nt_host) | eval dest_mac=lower(dest_mac) | eval mac=case(isnotnull(dest_mac), dest_mac, isnotnull(mac_address), mac_address, 1=1, "unknown") | stats values(index) as index values(field1) as field1 values(field2) as field 2 values(index) as index values(mac_address) by mac | table mac mac_address field 1 field 2 index </CODE></PRE> <P>Might need some tweaking but I'm sure you get what I mean <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>And thanks for finding my original post helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Thu, 20 Feb 2020 02:41:42 GMT MuS 2020-02-20T02:41:42Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476697#M143373 <P>Following a super helpful thread here <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html" target="_blank">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A><BR /> But I've ran into an issue where when I start to use stats, I always drop one of my indexes, is it possible to use stats and still maintain both indexes, or at least merge the data prior to losing one of them?</P> <P>(index=Index1 sourcetype=Type1) OR (index=Index2)<BR /> | fields field1 field 2 mac_address dest_mac <BR /> | eval mac_address=replace(mac_address,"\W","") <BR /> | eval mac_address=lower(mac_address) <BR /> | rex field=dest_nt_host "(?[^.]+)."<BR /> | eval dest_nt_host=lower(dest_nt_host) <BR /> | eval dest_mac=lower(dest_mac)<BR /> | stats values(index) as index values(field1) as field1 values(field2) as field 2 values(index) as index values(mac_address) by dest_mac <BR /> | table dest_mac mac_address field 1 field 2 index</P> <P>essentially whatever state with the BY-clause is the index that's kept, but ideally I'd like to match on dest_mac and mac_address, while pulling field 1 from index 1, and field 2 from index 2<BR /> Without the by clause, my data essentially is appending without append, looking like...</P> <PRE><CODE>field 1 dest_mac index 1 field 2 mac_Address index 2 </CODE></PRE> <P>Thanks in advanced!</P> Wed, 30 Sep 2020 04:17:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476697#M143373 mattfunk20 2020-09-30T04:17:50Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476698#M143374 <P>Hi mattfunk20,</P> <P>you need to get the unique identifier from both indexes and use it in the <CODE>stats by</CODE> clause. I assume that <CODE>dest_mac</CODE> and <CODE>mac_address</CODE> are theses fields, so try something like this:</P> <PRE><CODE>(index=Index1 sourcetype=Type1) OR (index=Index2) | fields field1 field 2 mac_address dest_mac | eval mac_address=replace(mac_address,"\W","") | eval mac_address=lower(mac_address) | rex field=dest_nt_host "(?[^.]+)." | eval dest_nt_host=lower(dest_nt_host) | eval dest_mac=lower(dest_mac) | eval mac=case(isnotnull(dest_mac), dest_mac, isnotnull(mac_address), mac_address, 1=1, "unknown") | stats values(index) as index values(field1) as field1 values(field2) as field 2 values(index) as index values(mac_address) by mac | table mac mac_address field 1 field 2 index </CODE></PRE> <P>Might need some tweaking but I'm sure you get what I mean <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>And thanks for finding my original post helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Thu, 20 Feb 2020 02:41:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476698#M143374 MuS 2020-02-20T02:41:42Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476699#M143375 <P>Super cool to see the same person help me out again. <BR /> Thanks, worked quite well!</P> Fri, 21 Feb 2020 17:45:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-indexes-with-Stats/m-p/476699#M143375 mattfunk20 2020-02-21T17:45:26Z