Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Joining Multiple index and sourcetypes

krishdeesplunk
New Member
‎09-10-2019 11:09 AM

I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST.

index=I1 ST=S1
index-I2 ST=S2, ST=S3,ST=S4,ST=S5

Sourcetype= S2 to S5 belongs to same Index=I2

Things I tried

1

(index=I1 OR index=I2) (ST=S1 OR ST=S2 OR ST=S3)
|fields

Didnt worked

2

|multisearch
[search index=I1 ST=S]
[search index=I2 (ST=S1 OR ST=S2 ...]

didnt worked

3 |multisearch

[search index=I1 ST=S]
[search index=I2 ST=S2]
[search index=I2 ST=S3]

taking a lottt lottt time

What am i missing here.. what is the best approach to join two different index and one index having multiple Sourcetypes?

Tags (1)
0 Karma
Reply

jacobpevans
Motivator
‎09-10-2019 02:03 PM

(index=I1 sourcetype=S1) OR (index=I2 (sourcetype=S2 OR sourcetype=S3 OR sourcetype=S4 OR sourcetype=S5))

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

mguhad
Communicator
‎09-10-2019 12:57 PM

Hi,
You could use the | join command to achieve that result.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

Alternatively, you could also have a look at *| append * command to achieve similar results based on your use case.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Append

0 Karma
Reply

krishdeesplunk
New Member
‎09-10-2019 01:31 PM

@mguhad Thanks for the Answer.
Using join will be very costly for this search i guess.. let me try

in Index 2 i have 8 different sourcetypes

0 Karma
Reply

mguhad
Communicator
‎09-11-2019 02:03 PM

perhaps you could to to one index, say the one with 8 sourcetypes...search it index=1 sourcetype=s1 OR sourcetype=s2.... OR sourcetype=s8
once you get that data, tag* it or create an eventtype that holds that data & thus will be able to combine the two indexes easily now that you have taken care of the index with many sourcetypes by assigning a tag or eventtype to the index with many sourcetypes

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...