https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453323#M172300 <P>@kannu - For the multisearch query I see what the issue is , try the below.</P> <P>|multisearch [search index=_internal ("version" AND source="/opt/splunk/var/log/splunk/metrics.log")][search index=* source=computer]|rename hostname as host|stats latest(version) AS Version latest(Manufacturer) AS Manufacturer by host</P> <P>An alternate option is to create a lookup that's updated once a day for manufacturer and then use it to populate your other search.</P> <P>You can use index=* source=computer |stats count by host,Manufacturer to populate your lookup and then use the same as a lookup for the internal data search</P> Fri, 22 Mar 2019 14:37:25 GMT vik_splunk 2019-03-22T14:37:25Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453319#M172296 <P>Hello Guys ,</P> <P>I am having results from two different query </P> <P>1&gt; index=_internal ("version" AND source="/opt/splunk/var/log/splunk/metrics.log") | table hostname , version</P> <P>output <BR /> hostname version<BR /> abc.com 6.6.2</P> <P>2&gt; index=* source=computer |stats count by host,Manufacturer</P> <P>host Manufacturer<BR /> abc.com HP</P> <P>Is there any way in which i can combine the results of two into one by correlating hostname and host field .</P> <P>expected output</P> <P>host version Manufacturer<BR /> abc.com 6.6.2 HP</P> <P>I dont want to use join command to get the expected output</P> <P>please help </P> <P>Thanks<BR /> Manish</P> Fri, 22 Mar 2019 13:12:48 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453319#M172296 kannu 2019-03-22T13:12:48Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453320#M172297 <P>Considering you do not want to use join, see if the following approach works for you.</P> <P>|multisearch [search index=_internal ("version" AND source="/opt/splunk/var/log/splunk/metrics.log")][search index=* source=computer]|stats latest(version) AS Version latest(Manufacturer) AS Manufacturer by host</P> <P>Is there a reason you do not want to use join?</P> Fri, 22 Mar 2019 13:47:51 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453320#M172297 vik_splunk 2019-03-22T13:47:51Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453321#M172298 <P>@vik_splunk </P> <P>Actually join command is very heavy , in production i have more than 4000 hosts so comparing each host value with hostname entry was taking almost 10 minutes for completing the result </P> Fri, 22 Mar 2019 14:11:53 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453321#M172298 kannu 2019-03-22T14:11:53Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453322#M172299 <P>Hello @vik_splunk </P> <P>I tried running your search but output is not coming as expected </P> <P>host Version Manufacturer<BR /> ANMqweMIewwSe01 VMware, Inc.<BR /> MINEqweq HP<BR /> andndasdasnk-idx-01 6.6.7<BR /><BR /> andndasdaunk-idx-02 6.6.7<BR /><BR /> andnddsadunk-idx-03 6.6.2<BR /><BR /> anasddlunk-mn-01 6.6.2 </P> Fri, 22 Mar 2019 14:14:43 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453322#M172299 kannu 2019-03-22T14:14:43Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453323#M172300 <P>@kannu - For the multisearch query I see what the issue is , try the below.</P> <P>|multisearch [search index=_internal ("version" AND source="/opt/splunk/var/log/splunk/metrics.log")][search index=* source=computer]|rename hostname as host|stats latest(version) AS Version latest(Manufacturer) AS Manufacturer by host</P> <P>An alternate option is to create a lookup that's updated once a day for manufacturer and then use it to populate your other search.</P> <P>You can use index=* source=computer |stats count by host,Manufacturer to populate your lookup and then use the same as a lookup for the internal data search</P> Fri, 22 Mar 2019 14:37:25 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453323#M172300 vik_splunk 2019-03-22T14:37:25Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453324#M172301 <P>@vik_splunk </P> <P>Its still not working Manufacturer column is not getting populated</P> <P>host Version Manufacturer<BR /> AN2SQLTEST01 6.6.2<BR /><BR /> ANMAADMINTS01 6.4.3<BR /><BR /> MINESM003 6.6.2<BR /><BR /> anddevcaspec02 6.6.2<BR /><BR /> anddevcaspec03 6.6.2<BR /><BR /> anddevcaspec05 6.6.2<BR /><BR /> anddevcaspec07 6.6.2<BR /><BR /> andndevsplunk-mn-01 6.6.7<BR /><BR /> andqacaspec02 6.6.2<BR /><BR /> anma1camcore001 7.2.0 </P> Fri, 22 Mar 2019 15:41:08 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453324#M172301 kannu 2019-03-22T15:41:08Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453325#M172302 <P>@kannu. Can you please provide limited sample data(masked) for both your internal and your custom sourcetype to proceed?</P> <P>Make sure when you mask the data to match the hostname field in _internal to the host for which you are trying to get the manufacturer.</P> Tue, 26 Mar 2019 08:07:39 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453325#M172302 vik_splunk 2019-03-26T08:07:39Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453326#M172303 <P>@vik_splunk </P> <P>That is my question actually as you are saying that match the hostname with host for which i am looking manufacturer .</P> <P>I said that matching can be done i am getting the result using join command only , is there any way except join in which i can map the hostname from _internal to host in .</P> Wed, 27 Mar 2019 10:37:33 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453326#M172303 kannu 2019-03-27T10:37:33Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453327#M172304 <P>@kannu - I believe it is possible without having to use join. Just need some sample data so I can build and test the query.</P> Thu, 28 Mar 2019 09:42:57 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453327#M172304 vik_splunk 2019-03-28T09:42:57Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453328#M172305 <P>Try</P> <PRE><CODE>(index=_internal "version" source="/opt/splunk/var/log/splunk/metrics.log") OR (index=* source=computer) | eval host=coalesce(host, hostname) | stats values(version) as version values(Manufacturer) as Manufacturer by host </CODE></PRE> <P>Regards,<BR /> -Kai.</P> Thu, 28 Mar 2019 12:15:45 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453328#M172305 knielsen 2019-03-28T12:15:45Z https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453329#M172306 <P>@knielsen . Your query is not returning the result in manner which i want .</P> <P>SsdfWsdfC4 VMware, Inc.<BR /> SWsdfBeF5 VMware, Inc.<BR /> ansdfging5 5.0.3<BR /><BR /> asd1dfsing6 5.0.3<BR /><BR /> ansdfsdfg2<BR /><BR /> 6.2.1</P> Mon, 15 Apr 2019 09:43:16 GMT https://community.splunk.com/t5/Splunk-Search/combine-two-search-results-tables-by-matching-fields-value/m-p/453329#M172306 kannu 2019-04-15T09:43:16Z