Archive

Joining Multiple index and sourcetypes

New Member

I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST.

index=I1 ST=S1
index-I2 ST=S2, ST=S3,ST=S4,ST=S5

Sourcetype= S2 to S5 belongs to same Index=I2

Things I tried

1

(index=I1 OR index=I2) (ST=S1 OR ST=S2 OR ST=S3)
|fields

Didnt worked

2

|multisearch
[search index=I1 ST=S]
[search index=I2 (ST=S1 OR ST=S2 ...]

didnt worked

3 |multisearch

[search index=I1 ST=S]
[search index=I2 ST=S2]
[search index=I2 ST=S3]

taking a lottt lottt time

What am i missing here.. what is the best approach to join two different index and one index having multiple Sourcetypes?

Tags (1)
0 Karma

Motivator

(index=I1 sourcetype=S1) OR (index=I2 (sourcetype=S2 OR sourcetype=S3 OR sourcetype=S4 OR sourcetype=S5))

Cheers,
Jacob
0 Karma

Communicator

Hi,
You could use the | join command to achieve that result.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

Alternatively, you could also have a look at *| append * command to achieve similar results based on your use case.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Append

0 Karma

New Member

@mguhad Thanks for the Answer.
Using join will be very costly for this search i guess.. let me try

in Index 2 i have 8 different sourcetypes

0 Karma

Communicator

perhaps you could to to one index, say the one with 8 sourcetypes...search it index=1 sourcetype=s1 OR sourcetype=s2.... OR sourcetype=s8
once you get that data, tag* it or create an eventtype that holds that data & thus will be able to combine the two indexes easily now that you have taken care of the index with many sourcetypes by assigning a tag or eventtype to the index with many sourcetypes

0 Karma