https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525071#M148133 <P>Hi All,</P><P>Need to combine 2 index together and also need the values to be added/summed together.</P><P><STRONG>Code 1 :&nbsp;</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">index=nw_syslog message_type="BGP-5-ADJCHANGE" | stats count by nodelabel, message_type | table nodelabel, message_type, count</LI-CODE><P>&nbsp;</P><P><STRONG>Table 1 :&nbsp;</STRONG></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="34.193548387096776%">nodelabel</TD><TD width="26.96774193548387%">message_type</TD><TD width="38.70967741935484%">count</TD></TR><TR><TD width="34.193548387096776%">AOKBF</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">2</TD></TR><TR><TD width="34.193548387096776%">CMPRS</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">2</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>Code 2:&nbsp;</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">index=opennms | stats count by nodelabel, message_type | table nodelabel, message_type, count</LI-CODE><P>&nbsp;</P><P><STRONG>Table 2:&nbsp;</STRONG></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="34.193548387096776%">nodelabel</TD><TD width="26.96774193548387%">message_type</TD><TD width="38.70967741935484%">count</TD></TR><TR><TD width="34.193548387096776%">AOKBF</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">3</TD></TR><TR><TD width="34.193548387096776%">CMPRS</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I used <STRONG>append</STRONG> and also&nbsp;&nbsp;<STRONG>join type=outer nodelabel&nbsp; </STRONG>but the value is not added.</P><P>&nbsp;</P><P><STRONG>Expected</STRONG><STRONG>&nbsp; Table Final :&nbsp;</STRONG></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="34.193548387096776%">nodelabel</TD><TD width="26.96774193548387%">message_type</TD><TD width="38.70967741935484%">count</TD></TR><TR><TD width="34.193548387096776%">AOKBF</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">5</TD></TR><TR><TD width="34.193548387096776%">CMPRS</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">5</TD></TR></TBODY></TABLE> Fri, 16 Oct 2020 14:40:58 GMT jerinvarghese 2020-10-16T14:40:58Z https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525071#M148133 <P>Hi All,</P><P>Need to combine 2 index together and also need the values to be added/summed together.</P><P><STRONG>Code 1 :&nbsp;</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">index=nw_syslog message_type="BGP-5-ADJCHANGE" | stats count by nodelabel, message_type | table nodelabel, message_type, count</LI-CODE><P>&nbsp;</P><P><STRONG>Table 1 :&nbsp;</STRONG></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="34.193548387096776%">nodelabel</TD><TD width="26.96774193548387%">message_type</TD><TD width="38.70967741935484%">count</TD></TR><TR><TD width="34.193548387096776%">AOKBF</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">2</TD></TR><TR><TD width="34.193548387096776%">CMPRS</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">2</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>Code 2:&nbsp;</STRONG></P><P>&nbsp;</P><LI-CODE lang="markup">index=opennms | stats count by nodelabel, message_type | table nodelabel, message_type, count</LI-CODE><P>&nbsp;</P><P><STRONG>Table 2:&nbsp;</STRONG></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="34.193548387096776%">nodelabel</TD><TD width="26.96774193548387%">message_type</TD><TD width="38.70967741935484%">count</TD></TR><TR><TD width="34.193548387096776%">AOKBF</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">3</TD></TR><TR><TD width="34.193548387096776%">CMPRS</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I used <STRONG>append</STRONG> and also&nbsp;&nbsp;<STRONG>join type=outer nodelabel&nbsp; </STRONG>but the value is not added.</P><P>&nbsp;</P><P><STRONG>Expected</STRONG><STRONG>&nbsp; Table Final :&nbsp;</STRONG></P><TABLE border="1" width="99.87096774193549%"><TBODY><TR><TD width="34.193548387096776%">nodelabel</TD><TD width="26.96774193548387%">message_type</TD><TD width="38.70967741935484%">count</TD></TR><TR><TD width="34.193548387096776%">AOKBF</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">5</TD></TR><TR><TD width="34.193548387096776%">CMPRS</TD><TD width="26.96774193548387%">BGP PEER LOST</TD><TD width="38.70967741935484%">5</TD></TR></TBODY></TABLE> Fri, 16 Oct 2020 14:40:58 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525071#M148133 jerinvarghese 2020-10-16T14:40:58Z https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525077#M148135 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33379">@jerinvarghese</a>,</P><P>if you have the same field names in both indexes is easier you can think:</P><LI-CODE lang="markup">(index=nw_syslog message_type="BGP-5-ADJCHANGE") OR (index=opennms) | stats count BY nodelabel message_type | table nodelabel, message_type, count</LI-CODE><P>if instead you have different field names, you have to rename them to have the same field names.</P><P>In this way, you haven't the limit of 50,000 results in subsearches that you'd have using join or append.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 16 Oct 2020 15:03:45 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525077#M148135 gcusello 2020-10-16T15:03:45Z https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525558#M148325 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>&nbsp;</P><P>Got another solution&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=nw_syslog message_type="BGP-5-ADJCHANGE" | table nodelabel, message_type, count | append [ search index=opennms | table nodelabel, message_type, count ] | stats count by nodelabel, message_type, count</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>this provided me the desired value. thanks so much for your suggestion too. that to helped me in the result.</P> Tue, 20 Oct 2020 13:20:03 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525558#M148325 jerinvarghese 2020-10-20T13:20:03Z https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525575#M148330 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33379">@jerinvarghese</a>,</P><P>your solution is like mine, but beware if the second search could have more than 50,000 results, because there's this limit in subsearches.</P><P>then beware to use the same field name for count.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 20 Oct 2020 14:16:45 GMT https://community.splunk.com/t5/Splunk-Search/Multi-Index-combination/m-p/525575#M148330 gcusello 2020-10-20T14:16:45Z