https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/696090#M236600 <P>As per&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;'s comment, yes it is case sensitive. Use eval upper or lower to convert them all to the same case</P> Tue, 13 Aug 2024 04:21:18 GMT KendallW 2024-08-13T04:21:18Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695944#M236575 <P>Hi All,<BR />i need to consolidate / correlate data from 2 different indexes as explained below. I have gone thru multiple posts on this forum from experts relevant to this but somehow for my use case, the same query ain't working. I have below situation:<BR />In Index=<STRONG>windows</STRONG> , the field "<STRONG>host</STRONG>" contains all the different hosts sending logs to Splunk. For example: Host01, Host02 etc.<BR />In another index=<STRONG>cmdb</STRONG>, the field "<STRONG>dv_name</STRONG>" contain the same hostnames sending logs.&nbsp; &nbsp;Also, there are other fields like dv_status and dv_os in this index which i need to be part of final output</P><P>So as explained above,&nbsp; the common link is the host field, its <STRONG>name</STRONG> is different across the 2 index, but the <STRONG>values</STRONG> are same.</P><P>&nbsp;</P><P><BR />When i run the following 2 queries to get my expected output, it only pulls data from windows index. It completely avoids the other cmdb index, irrespective of the fact the cmdb index has data / events from same hosts in the time range whatever i select.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">(index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*) | eval asset_name=coalesce(dv_name, host) | stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Output it it showing:&nbsp;&nbsp;<BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="20%">asset_name</TD><TD width="20%">idx_count</TD><TD width="20%">index</TD><TD width="20%">dv_os</TD><TD width="20%">dv_status</TD></TR><TR><TD width="20%">Host01</TD><TD width="20%">1</TD><TD width="20%">windows</TD><TD width="20%">&nbsp;</TD><TD width="20%">&nbsp;</TD></TR><TR><TD width="20%">Host02</TD><TD width="20%">1</TD><TD width="20%">windows</TD><TD width="20%">&nbsp;</TD><TD width="20%">&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Expected output</P><TABLE border="1"><TBODY><TR><TD width="20%">asset_name</TD><TD width="20%">idx_count</TD><TD width="20%">index</TD><TD width="20%">dv_os</TD><TD width="20%">dv_install_status</TD></TR><TR><TD width="20%">Host01</TD><TD width="20%">2</TD><TD width="20%">windows, cmdb</TD><TD width="20%">Windows Server</TD><TD width="20%">Production</TD></TR><TR><TD width="20%">Host02</TD><TD width="20%">2</TD><TD width="20%">windows, cmdb</TD><TD width="20%">Windows Server</TD><TD width="20%">Test</TD></TR></TBODY></TABLE><P><BR /><BR /></P> Mon, 12 Aug 2024 05:51:10 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695944#M236575 neerajs_81 2024-08-12T05:51:10Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695945#M236576 <P>&nbsp;</P><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>&nbsp;try just renaming the dv_name field instead of creating a new field with coalesce, e.g.:</P><LI-CODE lang="markup">(index=cmdb sourcetye=server) OR (index=windows) | rename dv_name as host | stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by host</LI-CODE><P>&nbsp;</P><P><BR /><BR /></P> Mon, 12 Aug 2024 05:51:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695945#M236576 KendallW 2024-08-12T05:51:48Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695946#M236577 <P>That didn't work. Query does not show any results if we rename the dv_name to host. That is because host is a default field&nbsp; and for index=cmdb, the <STRONG>host</STRONG> field originally contains the name of the Log source (ServiceNow) sending over the asset information to splunk. Renaming it overwrites the default field.<BR />thanks for replying though.</P> Mon, 12 Aug 2024 05:58:50 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695946#M236577 neerajs_81 2024-08-12T05:58:50Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695947#M236578 <P>It shouldn't matter what is contained in the host field in the 'cmdb' index as we are overwriting it. There is no problem with overwriting default fields in a search.<BR />Regardless, I still can't see why your original query didn't work. - There may be some whitespace or other strange characters in some of the field values from one of the indexes causing them to not match with the other index. Are you able to check this?</P> Mon, 12 Aug 2024 06:15:10 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695947#M236578 KendallW 2024-08-12T06:15:10Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695953#M236579 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/121137">@KendallW</a>&nbsp; Does the coalesce or rename command treat the hostnames differently if they are different in cases? One is lower case in one index and other index has the same hostname in Upper case. Is the merge case sensitive ?&nbsp;&nbsp;For example,&nbsp; <STRONG>HOST01</STRONG> which is one of the values in <STRONG>host</STRONG> field of index=windows, is actually&nbsp; <STRONG>host01</STRONG> in index=cmdb ( under the <STRONG>dv_name</STRONG>) field.&nbsp;&nbsp;<BR /><BR />That explains why the consolidation via coalesce or rename ain't working.</P> Mon, 12 Aug 2024 07:14:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695953#M236579 neerajs_81 2024-08-12T07:14:41Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695956#M236581 <P>Case does matter - as far as Splunk is concerned they are two different hosts - you could try converting to lower case</P><LI-CODE lang="markup">(index=windows) OR (index=cmdb sourcetype="snow:cmdb_ci_server" dv_name=*) | eval asset_name=lower(coalesce(dv_name, host)) | stats dc(index) as idx_count, values(index) values(dv_os), values(dv_install_status) by asset_name</LI-CODE> Mon, 12 Aug 2024 07:12:49 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/695956#M236581 ITWhisperer 2024-08-12T07:12:49Z https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/696090#M236600 <P>As per&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;'s comment, yes it is case sensitive. Use eval upper or lower to convert them all to the same case</P> Tue, 13 Aug 2024 04:21:18 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-to-combine-data-from-2-different-index-not-working/m-p/696090#M236600 KendallW 2024-08-13T04:21:18Z