https://community.splunk.com/t5/Splunk-Search/Search-using-two-indexes/m-p/553275#M157069 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230148">@moayadalghamdi</a>&nbsp;</P><P>try this</P><LI-CODE lang="markup">index=msexchange OR index=cisco_esa | stats values(message_subject) as message_subject values(sender) as sender by src_ip</LI-CODE> Thu, 27 May 2021 08:42:41 GMT aasabatini 2021-05-27T08:42:41Z https://community.splunk.com/t5/Splunk-Search/Search-using-two-indexes/m-p/553274#M157068 <P>Hola Splunkers !!</P><P>&nbsp;</P><P>i want to search in two indexes with one common values in between, for exapmle:</P><P>&nbsp;</P><P>index=Exchange_server has the following fields: <EM><STRONG>sender</STRONG></EM>, subject</P><P>index=EmailProxy&nbsp;has the following fields: src_ip, <EM><STRONG>sender</STRONG></EM></P><P>&nbsp;</P><P>where the&nbsp;<EM><STRONG>sender</STRONG> </EM>value is the same in the two indexes&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>i want the output to conclude: src_ip,&nbsp;SenderMail,&nbsp; Subject</P><P>&nbsp;</P><P>here's my search:</P><P>index=Exchange_server OR index=EmailProxy&nbsp;| table src_ip message_subjec sender</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="moayadalghamdi_0-1622103988354.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14331i922C3176FEC16116/image-size/medium?v=v2&amp;px=400" role="button" title="moayadalghamdi_0-1622103988354.png" alt="moayadalghamdi_0-1622103988354.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>but unfortunately i got many blank fields, please help me with it.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks^_^</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 May 2021 08:48:08 GMT https://community.splunk.com/t5/Splunk-Search/Search-using-two-indexes/m-p/553274#M157068 moayadalghamdi 2021-05-27T08:48:08Z https://community.splunk.com/t5/Splunk-Search/Search-using-two-indexes/m-p/553275#M157069 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230148">@moayadalghamdi</a>&nbsp;</P><P>try this</P><LI-CODE lang="markup">index=msexchange OR index=cisco_esa | stats values(message_subject) as message_subject values(sender) as sender by src_ip</LI-CODE> Thu, 27 May 2021 08:42:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-using-two-indexes/m-p/553275#M157069 aasabatini 2021-05-27T08:42:41Z