topic How can i Search field from two different file source and merge in to a single table ? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-i-Search-field-from-two-different-file-source-and-merge/m-p/692866#M235817 <P>Bellow mentioned table is an example which having same index and sourcetype, but it have a different source.&nbsp;</P><P>I need to search a field from 1st file and the result should be a combination of fields from file 1 and 2.</P><P><STRONG>File 1</STRONG></P><TABLE width="364"><TBODY><TR><TD width="64.5469px"><STRONG>&nbsp;T1_Fld 1</STRONG></TD><TD width="64.5469px"><STRONG>&nbsp;T1_Fld 2</STRONG></TD><TD width="116.812px"><STRONG>Domain</STRONG></TD><TD width="64.5469px">&nbsp;T1_Fld 4</TD><TD width="64.5469px">&nbsp;T1_Fld 5</TD></TR><TR><TD width="64.5469px">AAA</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>google.com</STRONG></TD><TD width="64.5469px">yy1</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAB</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>Facebook.com</STRONG></TD><TD width="64.5469px">yy2</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAB</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>Gmail.com</STRONG></TD><TD width="64.5469px">yy3</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAD</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>Yahoo.com</STRONG></TD><TD width="64.5469px">yy4</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAE</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>xxx.com</STRONG></TD><TD width="64.5469px">yy5</TD><TD width="64.5469px">bbb</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>File 2</STRONG></P><TABLE width="174px"><TBODY><TR><TD width="116.812px"><STRONG>Domain</STRONG></TD><TD width="58.7188px"><STRONG>IP</STRONG></TD></TR><TR><TD width="116.812px">google.com</TD><TD width="58.7188px">1.1.1.1</TD></TR><TR><TD width="116.812px">Facebook.com</TD><TD width="58.7188px">2.2.2.2</TD></TR><TR><TD width="116.812px">Gmail.com</TD><TD width="58.7188px">3.3.3.3</TD></TR><TR><TD width="116.812px">Yahoo.com</TD><TD width="58.7188px">4.4.4.4</TD></TR><TR><TD width="116.812px">xxx.com</TD><TD width="58.7188px">5.5.5.5</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>consider i am running a search where&nbsp;<STRONG>&nbsp;T1_Fld 1=AAB</STRONG> then the result table form should be like below.&nbsp;</P><P><STRONG>Output</STRONG></P><TABLE width="300"><TBODY><TR><TD width="64"><STRONG>&nbsp;T1_Fld 1</STRONG></TD><TD width="108"><STRONG>Domain</STRONG></TD><TD width="64"><STRONG>IP</STRONG></TD><TD width="64"><STRONG>&nbsp;T1_Fld 4</STRONG></TD></TR><TR><TD>AAB</TD><TD>Facebook.com</TD><TD>2.2.2.2</TD><TD>yy2</TD></TR><TR><TD>AAB</TD><TD>Gmail.com</TD><TD>3.3.3.3</TD><TD>yy3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Jul 2024 09:55:57 GMT JIthesh_Kumar 2024-07-10T09:55:57Z How can i Search field from two different file source and merge in to a single table ? https://community.splunk.com/t5/Splunk-Search/How-can-i-Search-field-from-two-different-file-source-and-merge/m-p/692866#M235817 <P>Bellow mentioned table is an example which having same index and sourcetype, but it have a different source.&nbsp;</P><P>I need to search a field from 1st file and the result should be a combination of fields from file 1 and 2.</P><P><STRONG>File 1</STRONG></P><TABLE width="364"><TBODY><TR><TD width="64.5469px"><STRONG>&nbsp;T1_Fld 1</STRONG></TD><TD width="64.5469px"><STRONG>&nbsp;T1_Fld 2</STRONG></TD><TD width="116.812px"><STRONG>Domain</STRONG></TD><TD width="64.5469px">&nbsp;T1_Fld 4</TD><TD width="64.5469px">&nbsp;T1_Fld 5</TD></TR><TR><TD width="64.5469px">AAA</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>google.com</STRONG></TD><TD width="64.5469px">yy1</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAB</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>Facebook.com</STRONG></TD><TD width="64.5469px">yy2</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAB</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>Gmail.com</STRONG></TD><TD width="64.5469px">yy3</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAD</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>Yahoo.com</STRONG></TD><TD width="64.5469px">yy4</TD><TD width="64.5469px">bbb</TD></TR><TR><TD width="64.5469px">AAE</TD><TD width="64.5469px">xxx</TD><TD width="116.812px"><STRONG>xxx.com</STRONG></TD><TD width="64.5469px">yy5</TD><TD width="64.5469px">bbb</TD></TR></TBODY></TABLE><P>&nbsp;</P><P><STRONG>File 2</STRONG></P><TABLE width="174px"><TBODY><TR><TD width="116.812px"><STRONG>Domain</STRONG></TD><TD width="58.7188px"><STRONG>IP</STRONG></TD></TR><TR><TD width="116.812px">google.com</TD><TD width="58.7188px">1.1.1.1</TD></TR><TR><TD width="116.812px">Facebook.com</TD><TD width="58.7188px">2.2.2.2</TD></TR><TR><TD width="116.812px">Gmail.com</TD><TD width="58.7188px">3.3.3.3</TD></TR><TR><TD width="116.812px">Yahoo.com</TD><TD width="58.7188px">4.4.4.4</TD></TR><TR><TD width="116.812px">xxx.com</TD><TD width="58.7188px">5.5.5.5</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>consider i am running a search where&nbsp;<STRONG>&nbsp;T1_Fld 1=AAB</STRONG> then the result table form should be like below.&nbsp;</P><P><STRONG>Output</STRONG></P><TABLE width="300"><TBODY><TR><TD width="64"><STRONG>&nbsp;T1_Fld 1</STRONG></TD><TD width="108"><STRONG>Domain</STRONG></TD><TD width="64"><STRONG>IP</STRONG></TD><TD width="64"><STRONG>&nbsp;T1_Fld 4</STRONG></TD></TR><TR><TD>AAB</TD><TD>Facebook.com</TD><TD>2.2.2.2</TD><TD>yy2</TD></TR><TR><TD>AAB</TD><TD>Gmail.com</TD><TD>3.3.3.3</TD><TD>yy3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Jul 2024 09:55:57 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-Search-field-from-two-different-file-source-and-merge/m-p/692866#M235817 JIthesh_Kumar 2024-07-10T09:55:57Z Re: How can i Search field from two different file source and merge in to a single table ? https://community.splunk.com/t5/Splunk-Search/How-can-i-Search-field-from-two-different-file-source-and-merge/m-p/692942#M235833 <P>Use stats to combine them</P><LI-CODE lang="markup">index=data_set1 OR index=data_set2 | stats values(*) as * by Domain</LI-CODE><P>Here uses values(*) as * to collect all fields from both data sources against their common field Domain.</P><P>You can filter then what you do or don't want, e.g. after the above, do&nbsp;&nbsp;</P><LI-CODE lang="markup">| where T1_Fld 1="AAB"</LI-CODE><P>&nbsp;</P> Wed, 10 Jul 2024 21:55:36 GMT https://community.splunk.com/t5/Splunk-Search/How-can-i-Search-field-from-two-different-file-source-and-merge/m-p/692942#M235833 bowesmana 2024-07-10T21:55:36Z