https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309201#M92737 <P>Thank you !</P> Tue, 23 May 2017 20:15:32 GMT eyaluodba 2017-05-23T20:15:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309198#M92734 <P>Is it possible to have two different indices and have results in a single table? The Indices are...</P> <PRE><CODE>index=_internal source=*web_access.log* /app/ action=edit | rex "/app/(?&lt;app_name&gt;.\w+)/(?&lt;dashboard_name&gt;.\w+)" | table dashboard_name, _time, app_name, user </CODE></PRE> <P>and </P> <PRE><CODE>index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount&gt;0" | rex field=search "index=(?P&lt;search_index&gt;[^ ]+)" | stats count by search_index | sort - count| table search_index user </CODE></PRE> <P>Please let me know! Thank you so much.</P> Tue, 23 May 2017 19:45:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309198#M92734 eyaluodba 2017-05-23T19:45:13Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309199#M92735 <P>You can join searches many ways but almost all of them are subjected to the 50Kish event limit so beware this:</P> <PRE><CODE>index=_internal source=*web_access.log* /app/ action=edit | rex "/app/(?&lt;app_name&gt;.\w+)/(?&lt;dashboard_name&gt;.\w+)" | table dashboard_name, _time, app_name, user | append [ search index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount&gt;0" | rex field=search "index=(?P&lt;search_index&gt;[^ ]+)" | stats count by search_index | sort - count | table search_index user] </CODE></PRE> Tue, 23 May 2017 20:05:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309199#M92735 woodcock 2017-05-23T20:05:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309200#M92736 <P>Hi eyaluodba,</P> <P>Sure, read more about the topic in this answer <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A> or in the Virtual .conf March 2016 session over here <A href="http://wiki.splunk.com/Virtual_.conf">http://wiki.splunk.com/Virtual_.conf</A> </P> <P>For a start just combine your base searches:</P> <PRE><CODE>( index=_internal source=*web_access.log* /app/ action=edit ) OR ( index=_audit action=search info=granted search=* NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount&gt;0" ) </CODE></PRE> <P>followed by any further commands you need to get to your required result.</P> <P>Hope that helps ...</P> <P>cheers, MuS</P> Tue, 23 May 2017 20:08:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309200#M92736 MuS 2017-05-23T20:08:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309201#M92737 <P>Thank you !</P> Tue, 23 May 2017 20:15:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309201#M92737 eyaluodba 2017-05-23T20:15:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309202#M92738 <P>Thank you!</P> Tue, 23 May 2017 20:21:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-make-a-couple-of-indices-in-one-table/m-p/309202#M92738 eyaluodba 2017-05-23T20:21:40Z