https://community.splunk.com/t5/Splunk-Search/How-would-I-merge-the-events-from-two-log-files-so-that-it/m-p/252569#M189341 <P>You could do it in the search with an eval to merge the two hosts' data into one:</P> <PRE><CODE>sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host </CODE></PRE> Fri, 18 Mar 2016 19:31:22 GMT jhupka 2016-03-18T19:31:22Z https://community.splunk.com/t5/Splunk-Search/How-would-I-merge-the-events-from-two-log-files-so-that-it/m-p/252568#M189340 <P>The logs are created by the same application and have the same fields. </P> <P>What I am after is displaying the count of events from two hosts (of 10) as a single host in a timechart. This search breaks out authentications across 10 hosts, I want it to look like there are 9 hosts.</P> <P>sourcetype=rsa_auth AUTHN_LOGIN_EVENT| timechart span=1d count by host</P> Tue, 29 Sep 2020 09:08:25 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-merge-the-events-from-two-log-files-so-that-it/m-p/252568#M189340 cal_dunigan 2020-09-29T09:08:25Z https://community.splunk.com/t5/Splunk-Search/How-would-I-merge-the-events-from-two-log-files-so-that-it/m-p/252569#M189341 <P>You could do it in the search with an eval to merge the two hosts' data into one:</P> <PRE><CODE>sourcetype=rsa_auth AUTHN_LOGIN_EVENT | eval host=if(host="serverA.foo.com" OR host="serverB.foo.com", "single_server.foo.com", host) | timechart span=1d count by host </CODE></PRE> Fri, 18 Mar 2016 19:31:22 GMT https://community.splunk.com/t5/Splunk-Search/How-would-I-merge-the-events-from-two-log-files-so-that-it/m-p/252569#M189341 jhupka 2016-03-18T19:31:22Z