https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512999#M143923 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>thanks for the reply, i got the output, but there is a problem, output ignores all those values which doesn't have Incidnet_number.</P><P>I need those nodelabel as well with blank value for&nbsp;Incident_number.&nbsp;</P><P>please help in that</P><P>i used below command, hope this is right method.</P><P>| join type=outer nodelabel&nbsp;</P> Fri, 07 Aug 2020 13:28:43 GMT jerinvarghese 2020-08-07T13:28:43Z https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512990#M143921 <P>HI all,</P><P>I have 2 index, that have same common field together.&nbsp; I want to join both together.</P><P>Query 1:&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | table nodelabel, Status, Time </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Query 2 :&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=itsm sourcetype=remedy_midtier | rename _time as Time | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p") | table nodelabel, Incident_Number, Time </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Output table 1:&nbsp;</P><P>nodelabel Status Time</P><TABLE><TBODY><TR><TD>CASCO</TD><TD>Up</TD><TD>2020-08-07 5:45:28 PM</TD></TR><TR><TD>AERIB</TD><TD>Up</TD><TD>2020-08-07 5:30:05 PM</TD></TR><TR><TD>CNPYU</TD><TD>Up</TD><TD>2020-08-07 5:34:41 PM</TD></TR></TBODY></TABLE><P><BR />Output Table 2:&nbsp;</P><P>nodelabel Incident_Number Time</P><TABLE><TBODY><TR><TD width="70px">CASCO</TD><TD width="153px">INC000013850038</TD><TD width="184px">2020-08-07 5:45:28 PM</TD></TR><TR><TD width="70px">CNPTT</TD><TD width="153px">INC000013850032</TD><TD width="184px">2020-08-07 5:34:42 PM</TD></TR><TR><TD width="70px">CNPYU</TD><TD width="153px">INC000013850032</TD><TD width="184px">2020-08-07 5:34:41 PM</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;expected output:&nbsp;</P><P>nodelabel Incident_Number Status Time</P><TABLE width="418px"><TBODY><TR><TD width="68px">CASCO</TD><TD width="153px">INC000013850038</TD><TD width="92px">UP</TD><TD width="104px">2020-08-07 5:45:28 PM</TD></TR><TR><TD width="68px">CNPTT</TD><TD width="153px">INC000013850032</TD><TD width="92px">&nbsp;</TD><TD width="104px">2020-08-07 5:34:42 PM</TD></TR><TR><TD width="68px">CNPYU</TD><TD width="153px">INC000013850032</TD><TD width="92px">UP</TD><TD width="104px">2020-08-07 5:34:41 PM</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I used join inner command but it failed. please help me in the join function. here nodelabel should be the common factor.</P> Fri, 07 Aug 2020 12:25:50 GMT https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512990#M143921 jerinvarghese 2020-08-07T12:25:50Z https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512991#M143922 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33379">@jerinvarghese</a>,</P><P>you could use the join command</P><LI-CODE lang="markup">index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown" | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time latest(Status) as Status by nodelabel | table nodelabel Status Time | join nodelabel [ search index=itsm sourcetype=remedy_midtier | rename _time as Time | fieldformat Time=strftime(Time,"%Y-%m-%d %l:%M:%S %p") | table nodelabel Incident_Number Time ] | table table nodelabel Incident_Number Status Time</LI-CODE><P>but I don't like because&nbsp; it's very slow and there's the limit of 50,000 results in subsearch.</P><P>So I hint to explore a different approach using the stats command:</P><LI-CODE lang="markup">(index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown") OR (index=itsm sourcetype=remedy_midtier) | rex field=eventuei "uei.opennms.org/nodes/node(?&lt;Status&gt;.+)" | stats max(_time) as Time values(Incident_Number) AS Incident_Number latest(Status) as Status by nodelabel | table table nodelabel Incident_Number Status Time</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 07 Aug 2020 12:35:43 GMT https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512991#M143922 gcusello 2020-08-07T12:35:43Z https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512999#M143923 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>thanks for the reply, i got the output, but there is a problem, output ignores all those values which doesn't have Incidnet_number.</P><P>I need those nodelabel as well with blank value for&nbsp;Incident_number.&nbsp;</P><P>please help in that</P><P>i used below command, hope this is right method.</P><P>| join type=outer nodelabel&nbsp;</P> Fri, 07 Aug 2020 13:28:43 GMT https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/512999#M143923 jerinvarghese 2020-08-07T13:28:43Z https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/513025#M143933 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33379">@jerinvarghese</a>,</P><P>as I said, I don't like join so I prefer the second solution that I hint to explore and use:</P><P>you are using a DB approach, but Splunk isn't a DB!</P><P>About your problem, did you tried to invert the two searches?</P><P>Ciao.</P><P>Giuseppe</P><P>P.s.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 07 Aug 2020 15:05:52 GMT https://community.splunk.com/t5/Splunk-Search/Join-index-s-together/m-p/513025#M143933 gcusello 2020-08-07T15:05:52Z