Hello yuanliu,

Here is the updated Rel table fields,

OK.  Now I can see the intention.  But if these tables are in production, the designer needs to be fired😏.  The second table cannot possibly be a single table.

In completely normalized form, the intended CMDB can be represented in three tables like these:

Table 1

Table 2

Table 3

Because (Dev, Test, Production) is an extremely limited set, you can probably merge Table 1 and Table 2 into one slightly bloated one without sacrificing much efficiency.  But Table 2 and Table 3 cannot easily merge, and definitely not in the way illustrated.

Table 2 is a static table best represented in a lookup.  It can be file based or KV store based.  I'll call this lookup table2.  Dynamic tables 1 and 3 are represented in the same index as different sourcetypes.  I'll call them sourcetypes table1 and table3.  I'll call the index cmdb.

The following is a prototype to associate table 1 with table 3 (via table 2):

index=cmdb sourcetype IN (table1, table3)
| lookup table2 AppParent AS AppName ``` OUTPUT AppChild ```
| stats values(host) as host values(AppNumber) as AppNumber values(AppName) as AppName values(AppOwner) as AppOwner values(ServerStatus) as ServerStatus by AppChild
| mvexpand host

 I now have doubts whether ServerStatus should be in Table 1.  But that's not a Splunk question.  The difference is: If ServerStatus is also in Table 3, Table 1 is also static and should be put in a CSV file or KV store as lookup.