https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553864#M157246 <P>the field bytes already existed in paloalto logs, so with your query it might get overwrote .</P><P>below my draft query so far, using few variables</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=pan_logs OR index=sns | eval src_ip=if(index="sns",src,src_ip), dest_ip=if(index="sns",dst,dest_ip), bytes_new=if(index="sns",bytes_in+bytes_out, bytes) | search src_ip="$source_ip$" AND dest_ip="$destination_ip$" AND action="$fw_action$" | table _time, index, host, action, src_ip, dest_ip, app, user, src_port, dest_port, bytes_new, vendor_action</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Jun 2021 15:25:22 GMT corti77 2021-06-01T15:25:22Z https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553839#M157236 <P>I would like to create a dashboard to query the logs of our two firewall devices (paloalto and sns). Both has their own index created.&nbsp;</P><P>Firstly I tried to simply query both indexes</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=pan_logs OR index=sns | table _time, action, src_ip, dest_ip, app, user, src_port, dest_port, bytes</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>with the issue that in the stormshield index some fields are named slightly different. I then tried to rename the values in order to merge all events from both indexes... but I didnt succeed.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=pan_logs [ search index=sns | rename src as src_ip, dst as dest_ip | eval bytes=bytes_in+bytes_out ] | table _time, action, src_ip, dest_ip, app, user, src_port, dest_port, bytes</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>could someone point me to the right direction?</P><P>thanks a lot.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Jun 2021 12:37:39 GMT https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553839#M157236 corti77 2021-06-01T12:37:39Z https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553841#M157237 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234300">@corti77</a>,</P><P>your first approach is better: you have to use eval and rename to merge data, something like this:</P><LI-CODE lang="markup">index=pan_logs OR index=sns | eval src_ip=if(index="sns",src,src_ip), dest_ip=if(index="sns",dst,dest_ip), bytes=bytes_in+bytes_out | table _time action src_ip dest_ip app user src_port dest_port bytes</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 01 Jun 2021 12:44:55 GMT https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553841#M157237 gcusello 2021-06-01T12:44:55Z https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553843#M157238 <P>The second search was very close.&nbsp; Using a subsearch creates a very different type of query, however.&nbsp; Just add the rename command - there' s no need to associated it with a specific index because it will only apply to events with the stated fields.</P><LI-CODE lang="markup">index=pan_logs OR index=sns | rename src as src_ip, dst as dest_ip | eval bytes=bytes_in+bytes_out | table _time, action, src_ip, dest_ip, app, user, src_port, dest_port, bytes</LI-CODE> Tue, 01 Jun 2021 12:51:15 GMT https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553843#M157238 richgalloway 2021-06-01T12:51:15Z https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553864#M157246 <P>the field bytes already existed in paloalto logs, so with your query it might get overwrote .</P><P>below my draft query so far, using few variables</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=pan_logs OR index=sns | eval src_ip=if(index="sns",src,src_ip), dest_ip=if(index="sns",dst,dest_ip), bytes_new=if(index="sns",bytes_in+bytes_out, bytes) | search src_ip="$source_ip$" AND dest_ip="$destination_ip$" AND action="$fw_action$" | table _time, index, host, action, src_ip, dest_ip, app, user, src_port, dest_port, bytes_new, vendor_action</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Jun 2021 15:25:22 GMT https://community.splunk.com/t5/Splunk-Search/Merging-events-from-two-indexes/m-p/553864#M157246 corti77 2021-06-01T15:25:22Z