How to merge the results from two different indexes/sourcetypes.

New Member


I have two queries, one gives me the test-case names, test-id details and lsf jobid details. Another query gives me the details on how much memory and cpu that my test has consumed. But unfortunately the second query doesn't have the test-names and test-id details.

So i was trying out to merge the two queries to display the memory consumption values along with test-case names and other details. I have tried a sub search but it did not help much.
Can you please tell me is there anyother way to do this.

Here are the queries for reference:
1. index=qvmr_soc_r groupID=qvmr_hana thumb_print=bks_2018.04.23_00.55.01_san_qp200_e10_1_04_56478 job_type=run_job state=Done | stats list(test_name) as test_name list(vov_jobid) as jobid by thumb_print

  1. index=public365 sourcetype=json_flowtracer user=bks vov_project_name=bks_2018.04.23_00.54.31_vl_bks_gridsdca_113606 | stats list(vov_jobname) as jobname list(vov_job_reqram) as reqram list(vov_job_maxram) as maxram list(vov_job_maxswap) as maxswap list(vov_jobid) as Jobid by vov_project_name

Please help on this.

Tags (1)
0 Karma


The field in common seems to be vov_jobid.

This should roll together all the data for each vov_jobid.

( index=qvmr_soc_r   

 | fields test_name thumb_print vov_jobid vov_jobname vov_job_reqram vov_job_maxram vov_job_maxswap vov_project_name
 | stats values(*) as * by vov_jobid

That should give you a set of records that look like this (some fields may be empty)

| fields _time vov_jobid test_name thumb_print vov_jobname vov_job_reqram vov_job_maxram vov_job_maxswap vov_project_name

Start from there and see where you end up.

0 Karma


how would you, as a human, know that something on one report matched something on the other report?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!