Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine two different events from different indexes/sourcetypes?

mikepangrac
Loves-to-Learn Lots
‎02-18-2022 08:33 AM

Hello, I'm trying to combine different events (with different fields) into one event based on a common field value.  Is there an easy way to do this?  For example:

(index=data sourcetype=source1) OR (index=customer sourcetype=sourcetype2)

Event from Source 1:
customer#: 12345
billingpackage: fastspeed
speed: 50m

Event from Source 2:
customer#: 12345
address: 1st street noth
zip: 41783

Desired Event:
customer#: 12345
billingpackage: fastspeed
speed: 50m
address: 1st street north
zip: 41783

Thanks in advance for the help!

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-18-2022 10:24 AM

You were close.  Run the query you have then use the stats command to merge the results.

(index=data sourcetype=source1) OR (index=customer sourcetype=sourcetype2)
| stats values(*) as * by customer

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...