I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST.
index=I1 ST=S1
index-I2 ST=S2, ST=S3,ST=S4,ST=S5
Sourcetype= S2 to S5 belongs to same Index=I2
Things I tried
(index=I1 OR index=I2) (ST=S1 OR ST=S2 OR ST=S3)
|fields
Didnt worked
|multisearch
[search index=I1 ST=S]
[search index=I2 (ST=S1 OR ST=S2 ...]
didnt worked
[search index=I1 ST=S]
[search index=I2 ST=S2]
[search index=I2 ST=S3]
taking a lottt lottt time
What am i missing here.. what is the best approach to join two different index and one index having multiple Sourcetypes?
(index=I1 sourcetype=S1) OR (index=I2 (sourcetype=S2 OR sourcetype=S3 OR sourcetype=S4 OR sourcetype=S5))
Hi,
You could use the | join command to achieve that result.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join
Alternatively, you could also have a look at *| append * command to achieve similar results based on your use case.
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Append
@mguhad Thanks for the Answer.
Using join will be very costly for this search i guess.. let me try
in Index 2 i have 8 different sourcetypes
perhaps you could to to one index, say the one with 8 sourcetypes...search it index=1 sourcetype=s1 OR sourcetype=s2.... OR sourcetype=s8
once you get that data, tag* it or create an eventtype that holds that data & thus will be able to combine the two indexes easily now that you have taken care of the index with many sourcetypes by assigning a tag or eventtype to the index with many sourcetypes