topic Re: Search in multiple indexes in Splunk Search

Search in multiple indexes

rafamss — Tue, 12 Nov 2013 20:47:20 GMT

Hi guys,

I need some help.

I have 2 index, and in both there are the field "ip", How can I create a search that find only results which exists the in both ? Like a join in SQL.

Like this: index1= indexX AND index2=indexY | stats count by ip

Re: Search in multiple indexes

somesoni2 — Tue, 12 Nov 2013 21:05:41 GMT

Try this

index=indexX |stats count by ip | join ip [search index=indexY | stats count by ip]

index=indexX | table ip | join ip [search index=indexY |table ip] | stats count by ip

Re: Search in multiple indexes

rafamss — Tue, 12 Nov 2013 21:30:59 GMT

Thanks somesoni2, I will test and reply in soon.

Re: Search in multiple indexes

rafamss — Mon, 18 Nov 2013 19:10:32 GMT

Thanks somesoni2, it's worked perfectly.

Re: Search in multiple indexes

isaacyeo — Wed, 19 Nov 2014 03:58:30 GMT

Any chance that this can only be done in later versions of Splunk? I am currently on 4.3.3 using Enterprise Security on 2.0.2. When I search for this: index=indexa sourcetype=sourcea [search index=indexb sourcetype=sourceb] The search is forever ongoing even though I am only searching for the past 5 minutes.

When I search for this: index=indexa OR index=indexb source=sourceb It works but it will not return the results I require.

Re: Search in multiple indexes

Kishorebk — Wed, 25 Feb 2015 10:35:44 GMT

How would the query look if i have more that 10 index's to search for?

Kishore

Re: Search in multiple indexes

markthompson — Wed, 25 Feb 2015 10:40:39 GMT

@rafamss @somesoni2 @Kishorebk - I'd recommend you try the OR Statement, You were close on the question, but instead of AND, you can use the OR.

e.g.

index=index1 OR index=index2 OR index=index3

etc.

Re: Search in multiple indexes

Kishorebk — Mon, 28 Sep 2020 19:03:01 GMT

Hi Mark

I tried, it gives results, but just for one index at time.
Here is the query 0

index=XXXX OR XXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR | rex"(?[\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}][^,]+)" | rename XX_1 as IP | rename XX_2 as IP | rename XX_3 as IP | rex "\W+\s+(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[^s+\W+\s+])" | rex "coming\s+from\s+(?\d*\D*\w*)" | rex "XXX\s+XXX\s+(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | rex "\W(?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}[^,])" | rename IPAddress as IP | rename XX_4 as IP | iplocation IP | stats count values(index) by Country

Re: Search in multiple indexes

Kishorebk — Mon, 28 Sep 2020 19:03:05 GMT

Hi Mark

I tried, it gives results, but just for one index at time.
Here is the query 0

index=XXXX OR XXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR | rex"(?[\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}][^,]+)" | rename XX_1 as IP | rename XX_2 as IP | rename XX_3 as IP | rex "W+s+(?d{1,3}.d{1,3}.d{1,3}.d{1,3}[^s+W+s+])" | rex "comings+froms+(?d*D*w*)" | rex "XXXs+XXXs+(?d{1,3}.d{1,3}.d{1,3}.d{1,3})" | rex "W(?d{1,3}.d{1,3}.d{1,3}.d{1,3}[^,])" | rename IPAddress as IP | rename XX_4 as IP | iplocation IP | stats count values(index) by Country