https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692466#M235696 <P>everything you write is correct but it is not my case.&nbsp;<BR />Below my indexes with keys:<BR />index1:&nbsp; AAA<BR />key values:&nbsp; fieldA1 AND fieldA2<BR /><BR />index2 : BBB<BR />key values: fieldB1 AND fieldB2</P> <P>so I suppose I need to do something like</P> <LI-CODE lang="markup">| eval JOIN=if (index='AAA', fieldA1+"_"+fieldA2, fieldB1+"_"+fieldB2)</LI-CODE> <P>or in your way:</P> <LI-CODE lang="markup">| eval key=coalesce(fieldA1+"_"+fieldA2 , fieldB1+"_"+fieldB2)</LI-CODE> <P><BR />btw. In a few sources close to splunk I read IF is more efficient than COALESCE .&nbsp;&nbsp; But of course both methods do more or less the same.</P> Fri, 05 Jul 2024 12:24:22 GMT kp_pl 2024-07-05T12:24:22Z https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692460#M235691 <LI-CODE lang="markup">index=db OR index=app | eval join=if(index="db",processId,pid) | stats sum(rows) sum(cputime) by join</LI-CODE> <P><EM><BR /><BR /></EM>Above is simple example how to join two indexes. But how to join two indexes where the key value has two fields ?<EM><BR /></EM><BR />K.</P> <P>&nbsp;</P> Sat, 06 Jul 2024 12:09:01 GMT https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692460#M235691 kp_pl 2024-07-06T12:09:01Z https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692462#M235692 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265845">@kp_pl</a>&nbsp;,</P><P>yes, it's correct.</P><P>I'd use coalesce instead if:</P><LI-CODE lang="markup">index IN (db, app) | eval key=coaesce(processId,pid) | stats sum(rows) AS rown sum(cputime) AS cputime by key</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Jul 2024 07:11:41 GMT https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692462#M235692 gcusello 2024-07-05T07:11:41Z https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692464#M235694 <P>I suppose you do not understand my question .&nbsp;</P> <P>I need a join two indexes by two fields , Something like<BR /><BR /></P> <LI-CODE lang="markup">| eval key=if(index="aaa", I1key1 , I2key1) | eval key2=if(index="aaa", I1key2 , I2key2) | stats values(*) as * by (key and key2)</LI-CODE> Fri, 05 Jul 2024 12:22:37 GMT https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692464#M235694 kp_pl 2024-07-05T12:22:37Z https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692465#M235695 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265845">@kp_pl</a>&nbsp;,</P><P>I understood that you have key1 in ndex1 and key2 in index2 and you want to correate events from both the indexes.</P><P>using coalesce, you create a new field (caed key) that takes values from index1 (when present key1) or otherwise from index2 (key2).</P><P>then you correlate values using stats and you have values from both the indexes.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Jul 2024 08:06:12 GMT https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692465#M235695 gcusello 2024-07-05T08:06:12Z https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692466#M235696 <P>everything you write is correct but it is not my case.&nbsp;<BR />Below my indexes with keys:<BR />index1:&nbsp; AAA<BR />key values:&nbsp; fieldA1 AND fieldA2<BR /><BR />index2 : BBB<BR />key values: fieldB1 AND fieldB2</P> <P>so I suppose I need to do something like</P> <LI-CODE lang="markup">| eval JOIN=if (index='AAA', fieldA1+"_"+fieldA2, fieldB1+"_"+fieldB2)</LI-CODE> <P>or in your way:</P> <LI-CODE lang="markup">| eval key=coalesce(fieldA1+"_"+fieldA2 , fieldB1+"_"+fieldB2)</LI-CODE> <P><BR />btw. In a few sources close to splunk I read IF is more efficient than COALESCE .&nbsp;&nbsp; But of course both methods do more or less the same.</P> Fri, 05 Jul 2024 12:24:22 GMT https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692466#M235696 kp_pl 2024-07-05T12:24:22Z https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692468#M235697 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/265845">@kp_pl</a>&nbsp;,</P><P>yes, coalesce and if are the same, even if I always use coalesce.</P><P>I usually use "." instead "+".</P><P>let me summarize: for events from index A, you want to use to concatenated fields from this index, otherwise</P><P>two concatenated fieds from index B, is it correct?</P><P>in this case you could use:</P><LI-CODE lang="markup">| eval key=coalesce(fieldA1."_".fieldA2, fieldB1."_".fieldB2)</LI-CODE><P>or in your way:</P><LI-CODE lang="markup">| eval JOIN=if(index="AAA", fieldA1."_".fieldA2, fieldB1."_".fieldB2)</LI-CODE><P>let me know.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Jul 2024 08:42:38 GMT https://community.splunk.com/t5/Splunk-Search/multifield-key-between-indexes/m-p/692468#M235697 gcusello 2024-07-05T08:42:38Z