https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548824#M155704 <P>Hi,</P><P>I am trying to search across two seperate indexes and then display fields returned from both indexes on a single line of my output.&nbsp;</P><P>Both indexes have a common field named "user" and I am search both indexes using this field.</P><P>The first part is "index=mcafee_wg&nbsp;user= <EM>supplied value"&nbsp;&nbsp;</EM>I want to search this&nbsp; index for a given value for "user" field and to display the value of a field named "url" in my output. "url" is a field in this index.</P><P>I also want to search a different index with "index=cisco_fmc&nbsp;user= <EM>supplied v</EM><EM>alue"&nbsp;</EM>&nbsp;As above, I want to search this index for a given value for "user" field. From this index I want to display the value of a field named "detection" which is a field in this index.</P><P>So basically i want to combine these three fields together and output them on the same line, such as:</P><P><STRONG>user&nbsp; &nbsp; &nbsp; &nbsp;url&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;detection</STRONG></P><P><EM>value&nbsp; &nbsp; &nbsp; value&nbsp; &nbsp; &nbsp;value</EM></P><P>Thanks!</P> Wed, 21 Apr 2021 16:07:37 GMT ezmo1982 2021-04-21T16:07:37Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548824#M155704 <P>Hi,</P><P>I am trying to search across two seperate indexes and then display fields returned from both indexes on a single line of my output.&nbsp;</P><P>Both indexes have a common field named "user" and I am search both indexes using this field.</P><P>The first part is "index=mcafee_wg&nbsp;user= <EM>supplied value"&nbsp;&nbsp;</EM>I want to search this&nbsp; index for a given value for "user" field and to display the value of a field named "url" in my output. "url" is a field in this index.</P><P>I also want to search a different index with "index=cisco_fmc&nbsp;user= <EM>supplied v</EM><EM>alue"&nbsp;</EM>&nbsp;As above, I want to search this index for a given value for "user" field. From this index I want to display the value of a field named "detection" which is a field in this index.</P><P>So basically i want to combine these three fields together and output them on the same line, such as:</P><P><STRONG>user&nbsp; &nbsp; &nbsp; &nbsp;url&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;detection</STRONG></P><P><EM>value&nbsp; &nbsp; &nbsp; value&nbsp; &nbsp; &nbsp;value</EM></P><P>Thanks!</P> Wed, 21 Apr 2021 16:07:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548824#M155704 ezmo1982 2021-04-21T16:07:37Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548826#M155705 <LI-CODE lang="markup">index=mcafee_wg OR index=cisco_fmc user="supplied value" | stats values(url) as url values(detection) as detection by user</LI-CODE> Wed, 21 Apr 2021 16:14:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548826#M155705 ITWhisperer 2021-04-21T16:14:42Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548827#M155706 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225682">@ezmo1982</a>&nbsp;</P><P>but the user field needs to have the same values across the two indexes?</P> Wed, 21 Apr 2021 16:17:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548827#M155706 aasabatini 2021-04-21T16:17:30Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548828#M155707 <P>Yes, the value of the user field needs to be the same across both indexes.</P> Wed, 21 Apr 2021 16:19:46 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548828#M155707 ezmo1982 2021-04-21T16:19:46Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548834#M155708 <P>you can try&nbsp;<BR /><BR /></P><LI-CODE lang="markup">(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection</LI-CODE><P>&nbsp;</P><P>be careful because splunk join comand works fine with a small set of data.</P> Wed, 21 Apr 2021 16:49:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548834#M155708 aasabatini 2021-04-21T16:49:15Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548849#M155710 <P>One thing I forgot to mention is that both indexes contain a field named "url". I am looking to output the "url" field from just the mcafee_wg index and not the cisco_fmc index.</P> Wed, 21 Apr 2021 18:28:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548849#M155710 ezmo1982 2021-04-21T18:28:38Z https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548864#M155713 <LI-CODE lang="markup">index=mcafee_wg OR index=cisco_fmc user="supplied value" | eval url=if(index="mcafee_wg", url, null) | stats values(url) as url values(detection) as detection by user</LI-CODE> Wed, 21 Apr 2021 21:00:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-search-two-seperate-indexes-and-then-output-values-from/m-p/548864#M155713 ITWhisperer 2021-04-21T21:00:35Z