Hi,
I am trying to search across two seperate indexes and then display fields returned from both indexes on a single line of my output.
Both indexes have a common field named "user" and I am search both indexes using this field.
The first part is "index=mcafee_wg user= supplied value" I want to search this index for a given value for "user" field and to display the value of a field named "url" in my output. "url" is a field in this index.
I also want to search a different index with "index=cisco_fmc user= supplied value" As above, I want to search this index for a given value for "user" field. From this index I want to display the value of a field named "detection" which is a field in this index.
So basically i want to combine these three fields together and output them on the same line, such as:
user url detection
value value value
Thanks!
you can try
(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection
be careful because splunk join comand works fine with a small set of data.
Hi @ezmo1982
but the user field needs to have the same values across the two indexes?
Yes, the value of the user field needs to be the same across both indexes.
you can try
(index=mcafee_wg user= supplied value") | join user[search index=cisco_fmc user= supplied value"] | table user url detection
be careful because splunk join comand works fine with a small set of data.
index=mcafee_wg OR index=cisco_fmc user="supplied value"
| stats values(url) as url values(detection) as detection by user
One thing I forgot to mention is that both indexes contain a field named "url". I am looking to output the "url" field from just the mcafee_wg index and not the cisco_fmc index.
index=mcafee_wg OR index=cisco_fmc user="supplied value"
| eval url=if(index="mcafee_wg", url, null)
| stats values(url) as url values(detection) as detection by user