https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-combine-three-indexes-using-left-join-but-not-all/m-p/397768#M170929 <P>index=A | stats count by host ID | eval ID=upper(ID) | rename host as HOST, ID as USERID, count as LOGIN_FAILURES |<BR /> join USERID type=full [ search index=B earliest=-1d@d groupentitlements!=None | eval Username=upper(Username) | rename Username as USERID, GivenName as FIRST_NAME, Surname as LAST_NAME, groupentitlements as ENTITLEMENT, HomeDirectory as HOME_DIRECTORY | <BR /> join USERID type=full [ search index=C earliest=-1d@d USERID | dedup USERID | eval USERID=upper(USERID) ] ] |<BR /> table HOST USERID FIRST_NAME LAST_NAME LOGIN_FAILURES HOME_DIRECTORY TITLE ASSOCIATE PRIORITY_CUSTOMER ORGANIZATION_CODE CSS_BUSINESS_GROUP ENTITLEMENT BUILDING_NAME ADDRESS_LINE1 CITY STATE_CD COUNTRY | sort - LOGIN_FAILURES</P> Wed, 30 Sep 2020 00:45:16 GMT dogaasad 2020-09-30T00:45:16Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-combine-three-indexes-using-left-join-but-not-all/m-p/397768#M170929 <P>index=A | stats count by host ID | eval ID=upper(ID) | rename host as HOST, ID as USERID, count as LOGIN_FAILURES |<BR /> join USERID type=full [ search index=B earliest=-1d@d groupentitlements!=None | eval Username=upper(Username) | rename Username as USERID, GivenName as FIRST_NAME, Surname as LAST_NAME, groupentitlements as ENTITLEMENT, HomeDirectory as HOME_DIRECTORY | <BR /> join USERID type=full [ search index=C earliest=-1d@d USERID | dedup USERID | eval USERID=upper(USERID) ] ] |<BR /> table HOST USERID FIRST_NAME LAST_NAME LOGIN_FAILURES HOME_DIRECTORY TITLE ASSOCIATE PRIORITY_CUSTOMER ORGANIZATION_CODE CSS_BUSINESS_GROUP ENTITLEMENT BUILDING_NAME ADDRESS_LINE1 CITY STATE_CD COUNTRY | sort - LOGIN_FAILURES</P> Wed, 30 Sep 2020 00:45:16 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-combine-three-indexes-using-left-join-but-not-all/m-p/397768#M170929 dogaasad 2020-09-30T00:45:16Z https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-combine-three-indexes-using-left-join-but-not-all/m-p/397769#M170930 <P>I'd recommend first starting with formatting the query in Splunk by pressing CTRL and \ in the query window for readability purposes.</P> <P>Try this:</P> <PRE><CODE>index=A | stats count by host ID | eval ID=upper(ID) | rename host as HOST, ID as USERID, count as LOGIN_FAILURES | join USERID type=left [ search index=B earliest=-1d@d groupentitlements!=None | eval Username=upper(Username) | rename Username as USERID, GivenName as FIRST_NAME, Surname as LAST_NAME, groupentitlements as ENTITLEMENT, HomeDirectory as HOME_DIRECTORY | join USERID type=left [ search index=C earliest=-1d@d USERID | dedup USERID | eval USERID=upper(USERID) ] ] | table HOST USERID FIRST_NAME LAST_NAME LOGIN_FAILURES HOME_DIRECTORY TITLE ASSOCIATE PRIORITY_CUSTOMER ORGANIZATION_CODE CSS_BUSINESS_GROUP ENTITLEMENT BUILDING_NAME ADDRESS_LINE1 CITY STATE_CD COUNTRY | sort - LOGIN_FAILURES </CODE></PRE> <P>I changed the type of join to left, it seems to be "full" join in the query, which I dont think is a valid option</P> <P>as referring to <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Join">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Join</A></P> <P>the options are:</P> <PRE><CODE>type=(inner | outer | left) </CODE></PRE> <P>please let me know if this doesn't help</P> Mon, 03 Jun 2019 19:12:29 GMT https://community.splunk.com/t5/Splunk-Search/I-am-trying-to-combine-three-indexes-using-left-join-but-not-all/m-p/397769#M170930 martinpu 2019-06-03T19:12:29Z