https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181588#M52328 <P>if you want to join events per domain, you need to extract the domain in a field for both type of events.<BR /> By example with a rex command. Then join the 2 set of results on this new field.</P> <P><CODE>index=proxy | rex field=url "http(s|)://(?[-_\w\d\.]*)"<BR /> | join shortdomain [<BR /> search index=watchlist | rex field=domain "http(s|)://(?[-_\w\d\.]*)" ]</CODE></P> <P>please adapt to your actual fields formats.</P> Thu, 23 Oct 2014 14:21:25 GMT yannK 2014-10-23T14:21:25Z https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181586#M52326 <P>Hi,</P> <P>I need to search in multiple indexes but the field values won't match exactly so a straight join will not produce results.</P> <P>index=proxy Url="<EM>" | join [search index=watchlist "</EM>".domain."*"]</P> <P>This is the code I am using and while syntax is ok I don't know if it is doing what I want. The proxy index has a full URL while the watchlist only has the top level of the domain i.e. <A href="http://www.splunk.com">www.splunk.com</A></P> <P>Any help appreciated.</P> Thu, 23 Oct 2014 13:23:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181586#M52326 StormTrooper 2014-10-23T13:23:42Z https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181587#M52327 <P>I think you may want to do an eval and rex command on the proxy Url to pull out the top level domain. I believe the join command is going to search for an exact match and I am trying to imagine scenarios where your Url and subsearch on the join won't match but should.</P> Thu, 23 Oct 2014 14:10:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181587#M52327 carpga 2014-10-23T14:10:15Z https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181588#M52328 <P>if you want to join events per domain, you need to extract the domain in a field for both type of events.<BR /> By example with a rex command. Then join the 2 set of results on this new field.</P> <P><CODE>index=proxy | rex field=url "http(s|)://(?[-_\w\d\.]*)"<BR /> | join shortdomain [<BR /> search index=watchlist | rex field=domain "http(s|)://(?[-_\w\d\.]*)" ]</CODE></P> <P>please adapt to your actual fields formats.</P> Thu, 23 Oct 2014 14:21:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181588#M52328 yannK 2014-10-23T14:21:25Z https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181589#M52329 <P>Thank you for these answers. @ yannK I tried your code but got the following error </P> <P>Error in 'rex' command: Encountered the following error while compiling the regex 'http(s|)://(?[-_\w\d.]*)': Regex: unrecognized character after (? or (?- </P> <P>Any idea why? It all looks OK to me so I am not sure what I did wrong.</P> Fri, 24 Oct 2014 13:28:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181589#M52329 StormTrooper 2014-10-24T13:28:14Z https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181590#M52330 <P>The regex command was reformatted by the website,</P> <P>it should have a tag after the question mark, I added it back in the example below, <BR /> please remove the "underscore" to fix it <CODE>_shortdomain_</CODE> to <CODE>shortdomain</CODE></P> <P><CODE>index=proxy | rex field=url "http(s|)://(?&lt;_shortdomain_&gt;[-_\w\d\.]*)" | join shortdomain [ search index=watchlist | rex field=domain "http(s|)://(?&lt;_shortdomain_&gt;[-_\w\d\.]*)" ]</CODE></P> Fri, 24 Oct 2014 16:18:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181590#M52330 yannK 2014-10-24T16:18:23Z https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181591#M52331 <P>Thank you for this, I got it working as I wanted.</P> <P>P.S. sorry for the delay in replying I haven't had a chance to look at this for a while.</P> Thu, 13 Nov 2014 17:23:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-multiple-indexes-and-join-field-values-that-don-t/m-p/181591#M52331 StormTrooper 2014-11-13T17:23:40Z