https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/656226#M226657 <P>But we have some events of job in indexA and some events of job in indexB ,suppose if we want to create a table all events of same job,how can we do that&nbsp;</P> Thu, 31 Aug 2023 09:57:43 GMT welcome 2023-08-31T09:57:43Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655468#M226422 <P>1st query:&nbsp; index="A" event_tag="event1" build_number=1 job_name=job1 type=completed&nbsp;&nbsp;</P><P>2nd query:&nbsp; index="B" event_tag="event2" build_number=1 job_name=job1</P><P>We have some events in indexA and some events in indexB ,how to combine these using common fileds are build_number and job_name.</P><P>What will the query</P><P>&nbsp;</P> Thu, 24 Aug 2023 11:29:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655468#M226422 welcome 2023-08-24T11:29:51Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655472#M226425 <P>There are a few ways to combine searches, but the preferred way uses the general form:</P><LI-CODE lang="markup">(&lt;&lt;query 1&gt;&gt;) OR (&lt;&lt;query 2&gt;&gt;) | stats values(*) as * by &lt;&lt;common fields&gt;&gt;</LI-CODE> Thu, 24 Aug 2023 12:21:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655472#M226425 richgalloway 2023-08-24T12:21:32Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655503#M226437 <P>It is showing statistical information but not merging ,I want events from indexA and indexB together as single event .What will be the query and how can I know merging was happened .<BR />I don't want table or statistics format&nbsp;</P><P>&nbsp;</P> Thu, 24 Aug 2023 14:30:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655503#M226437 welcome 2023-08-24T14:30:20Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655560#M226457 <P>The <FONT face="courier new,courier">join</FONT> command should produce the format you seek, but you'll be unhappy with the performance.&nbsp; That's why the previous method I suggested is preferred.</P><LI-CODE lang="markup">&lt;&lt;query 1&gt;&gt; | join &lt;&lt;common fields&gt;&gt; [ &lt;&lt;query 2&gt;&gt; ]</LI-CODE><P>&nbsp;</P> Fri, 25 Aug 2023 00:19:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655560#M226457 richgalloway 2023-08-25T00:19:27Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655577#M226467 <P>Join command is ok ,but how can know these two index events are combined,how can I see the combined data.Please give the proper answer</P> Fri, 25 Aug 2023 04:07:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655577#M226467 welcome 2023-08-25T04:07:27Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655654#M226485 <P>The indexed events are not combined.&nbsp; Indexed data is never changed so the events will forever remain separated.&nbsp; All we can do is correlate data from the indexes and display it in an appropriate format.&nbsp; You can, however, write the correlated data to a summary index using the <FONT face="courier new,courier">collect</FONT> command then fetch the events in the summary index to see a combined event.</P> Fri, 25 Aug 2023 13:23:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/655654#M226485 richgalloway 2023-08-25T13:23:22Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/656226#M226657 <P>But we have some events of job in indexA and some events of job in indexB ,suppose if we want to create a table all events of same job,how can we do that&nbsp;</P> Thu, 31 Aug 2023 09:57:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/656226#M226657 welcome 2023-08-31T09:57:43Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/656253#M226667 <P>My first answer said how to create a table with events of the same job from both indexes, but then you said you don't want a table.</P> Thu, 31 Aug 2023 12:00:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-events-from-two-indexes-in-Splunk/m-p/656253#M226667 richgalloway 2023-08-31T12:00:32Z