How do I join data from two indexes on a certain field?

sekhar463 — Thu, 19 Oct 2023 12:54:40 GMT

Hi all,

i am using a search using internal index but i want to add a field values which is in other index = wineventlog

below is the i am using from internal index

in the search i want to add a field to table

Re: How do I join data from two indexes on a certain field?

gcusello — Wed, 18 Jan 2023 14:53:10 GMT

this search cannot run because the Splunk searches run as a pipe, so, if you search for index=_internal at the beginning, you cannot search for another index after because you haven't events from the second index.

You can do something like you described using append but the results of the second search must be less than 50,000 otherwise the subsearch for the second index doesn't give you all the result.

As I said you could use append or (better) you could both the searches in the main search, so you haven't the limit of 50,000 results, something like this:

(index=_internal source=*metrics.log group=tcpin_connections) OR (index=ivz_wintel_wineventlog) | eval Host=coalesce(hostname, sourceHost), age=(now()-_time) | stats min(age) AS age max(_time) AS LastTime BY Host | convert ctime(LastTime) AS "Last Active On" | eval Status=if(age< 7200,"Running","DOWN") | rename age AS Age | eval Age=tostring(Age,"duration") | sort Status | table Host Status Age "Last Active On"

Ciao.

Giuseppe

topic How do I join data from two indexes on a certain field? in Splunk Search

How do I join data from two indexes on a certain field?

Re: How do I join data from two indexes on a certain field?