https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450389#M171359 <P>not sure why or what you need to <CODE>coalesce</CODE> if the split by field is the same ...<BR /> <CODE>index = a or index = b name=* |stats values(field2) as fields2 values(field3) as field3 values(field4) as field4 values(field5) as field5 by name</CODE> </P> Thu, 09 May 2019 19:17:24 GMT adonio 2019-05-09T19:17:24Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450388#M171358 <P>Hello, <BR /> I asked this question yesterday but didn't get the right solution. I have two indexes with different fields and only share one common field, I want to have a table where it display some fields form both indexes. So far, it displays fields from one index only, not sure what I'm doing wrong. Here is my attempt. </P> <P>Note: field 2 and field 3 from index=1 , field 4 and field 5 from index=2 , common field is name </P> <P>index=1 OR index=2 <BR /> |eval name=coalescce(name1,name2) <BR /> |stats values(field2) as fields2 values(field3) as field3 values(field4) as field4 values(field5) as field5 by name </P> <P>thank you in advance!!! </P> Thu, 09 May 2019 15:57:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450388#M171358 maryamchar 2019-05-09T15:57:32Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450389#M171359 <P>not sure why or what you need to <CODE>coalesce</CODE> if the split by field is the same ...<BR /> <CODE>index = a or index = b name=* |stats values(field2) as fields2 values(field3) as field3 values(field4) as field4 values(field5) as field5 by name</CODE> </P> Thu, 09 May 2019 19:17:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450389#M171359 adonio 2019-05-09T19:17:24Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450390#M171360 <P>I need coalesce because it's the same field but named differently in each index. however, they both have same data. The query you provided didn't work </P> Thu, 09 May 2019 21:26:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450390#M171360 maryamchar 2019-05-09T21:26:38Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450391#M171361 <P>Hi</P> <P>You should use join command to correlate data from one index to data in other index.</P> <P>index=1 | stats c by name1, field2, field3 | rename name1 as name2| join name2 [| search index=2 | stats c by name2, field4, field5]</P> <P>other example : index=_internal | stats c by host sourcetype | join type=left host [ | search index=_audit | stats c by host source]</P> <P>Thanks</P> Wed, 30 Sep 2020 00:27:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450391#M171361 PowerPacked 2020-09-30T00:27:48Z https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450392#M171362 <P>Thank you!!! It worked!!</P> Mon, 13 May 2019 18:19:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-populate-fields-from-two-indexes-that-share-one-field/m-p/450392#M171362 maryamchar 2019-05-13T18:19:22Z