https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200197#M58017 <P>I am trying to group three sets of indexes' logs when all three have the same source and destination IP address within a minute of each other. My initial thought was to use <CODE>transaction</CODE>, but ran into a problem because the source IP in index-A is called 'dvc_ip'. Is there a way to have transaction see the dvc_ip value of Index-A and match that with src_ip value of Index B &amp; C?</P> <P>Ultimately, I'd like to join these logs together to then create a table (username, host_ip, src_ip, dest_ip, website, category, referrer).</P> <P><STRONG>Log Field Setup</STRONG></P> <PRE><CODE>Index-A host_ip dvc_ip dest_ip Index-B src_ip dest_ip website referrer Index-C src_ip dest_ip website category username // dvc_ip and src_ip are the same value, just named differently. Indices B/C do not have the host_ip. </CODE></PRE> <P><STRONG>Sample Data</STRONG></P> <PRE><CODE>Index-A 192.168.0.100 1.2.3.4 4.4.4.4 Index-B 1.2.3.4 4.4.4.4 amazon.com google.com Index-C 1.2.3.4 4.4.4.4 amazon.com shopping jsmith </CODE></PRE> Tue, 29 Sep 2020 08:47:15 GMT DEAD_BEEF 2020-09-29T08:47:15Z https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200197#M58017 <P>I am trying to group three sets of indexes' logs when all three have the same source and destination IP address within a minute of each other. My initial thought was to use <CODE>transaction</CODE>, but ran into a problem because the source IP in index-A is called 'dvc_ip'. Is there a way to have transaction see the dvc_ip value of Index-A and match that with src_ip value of Index B &amp; C?</P> <P>Ultimately, I'd like to join these logs together to then create a table (username, host_ip, src_ip, dest_ip, website, category, referrer).</P> <P><STRONG>Log Field Setup</STRONG></P> <PRE><CODE>Index-A host_ip dvc_ip dest_ip Index-B src_ip dest_ip website referrer Index-C src_ip dest_ip website category username // dvc_ip and src_ip are the same value, just named differently. Indices B/C do not have the host_ip. </CODE></PRE> <P><STRONG>Sample Data</STRONG></P> <PRE><CODE>Index-A 192.168.0.100 1.2.3.4 4.4.4.4 Index-B 1.2.3.4 4.4.4.4 amazon.com google.com Index-C 1.2.3.4 4.4.4.4 amazon.com shopping jsmith </CODE></PRE> Tue, 29 Sep 2020 08:47:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200197#M58017 DEAD_BEEF 2020-09-29T08:47:15Z https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200198#M58018 <P>Why don't you use an alias to name your source ip with the same name across all your three indexes?<BR /> Something like:</P> <PRE><CODE>index=Index-A OR index=Index-B OR index=Index-C | eval source_ip = coalesce(dvc_ip, src_ip) | transaction source_ip, dest_ip BLA BLA BLA </CODE></PRE> <P>By the way, transaction might not be accurate enough for what you are trying to achieve unless you can easily specify your startWith event and your endWith event.</P> Wed, 10 Feb 2016 19:32:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200198#M58018 javiergn 2016-02-10T19:32:25Z https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200199#M58019 <P>I did not know about using an alias. The time between the three logs are all within a 1-minute span. Trying alias now.</P> Wed, 10 Feb 2016 19:43:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-various-logs-from-different-indexes-with-different/m-p/200199#M58019 DEAD_BEEF 2016-02-10T19:43:36Z