https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426020#M172650 <P>Can you try something like this ?</P> <PRE><CODE>index="ABC" OR index="XYZ" | stats latest(eval(case(index="ABC" AND action="Login",_time))) as login_time latest(eval(case(index="ABC" AND action="Logout",_time))) as logout_time latest(eval(case(index="XYZ",_time))) as compare_time latest(CRUD) as CRUD latest(sessionkey) as sessionkey by name | where login_time&lt;compare_time AND logout_time&gt;compare_time </CODE></PRE> <P>let me know if this helps!</P> Fri, 08 Mar 2019 00:41:48 GMT mayurr98 2019-03-08T00:41:48Z https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426017#M172647 <P>Hi folks,</P> <P>I have 2 indexes containing information as below:</P> <PRE><CODE>index ABC _time sessionkey name action 06/03/2019 01:15:20 XfRtG5R3FR$Er John Login 06/03/2019 01:18:25 XfRtG5R3FR$Er John Logout 06/03/2019 03:28:10 FFT$WFTFETR% John Login 06/03/2019 03:31:56 FFT$WFTFETR% John Logout </CODE></PRE> <P>index XYZ</P> <PRE><CODE> _time name CRUD 06/03/2019 01:16:22 John Update </CODE></PRE> <P>So, unfortunately, I don't have a session key in both indexes to tie in these two events. </P> <P>How can I correlate these 2 logs by Name AND date range? i.e.</P> <PRE><CODE>TimeSessionStarted TimeSessionFinished sessionkey name CRUD 06/03/2019 01:15:20 06/03/2019 01:18:25 XfRtG5R3FR$Er John Update </CODE></PRE> <P>Cheers,</P> Thu, 07 Mar 2019 23:45:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426017#M172647 ADRIANODL 2019-03-07T23:45:36Z https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426018#M172648 <P>Well as long as the times are exactly the same, this should work: </P> <PRE><CODE>index ABC OR index XYZ |stats latest(CRUD) as CRUD latest(action) as action latest(sessionkey) as sessionkey by _time name </CODE></PRE> Thu, 07 Mar 2019 23:53:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426018#M172648 chrisyounger 2019-03-07T23:53:44Z https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426019#M172649 <P>Unfortunately the times are not the same. The time on index XYZ falls under a session of index ABC though.</P> Thu, 07 Mar 2019 23:59:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426019#M172649 ADRIANODL 2019-03-07T23:59:37Z https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426020#M172650 <P>Can you try something like this ?</P> <PRE><CODE>index="ABC" OR index="XYZ" | stats latest(eval(case(index="ABC" AND action="Login",_time))) as login_time latest(eval(case(index="ABC" AND action="Logout",_time))) as logout_time latest(eval(case(index="XYZ",_time))) as compare_time latest(CRUD) as CRUD latest(sessionkey) as sessionkey by name | where login_time&lt;compare_time AND logout_time&gt;compare_time </CODE></PRE> <P>let me know if this helps!</P> Fri, 08 Mar 2019 00:41:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426020#M172650 mayurr98 2019-03-08T00:41:48Z https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426021#M172651 <P>Hi mayurr98,<BR /> Apologies but I didn't explain the whole thing: the login/logout words don't always appear, so I should rather use the session key as what defines a session.<BR /> Does that make sense?</P> Fri, 08 Mar 2019 02:19:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-correlate-events-from-two-different-indexes-by-date/m-p/426021#M172651 ADRIANODL 2019-03-08T02:19:07Z