Hi Mark

I tried, it gives results, but just for one index at time.
Here is the query 0

index=XXXX OR XXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR XXXXX OR | rex"(?[\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}][^,]+)" | rename XX_1 as IP | rename XX_2 as IP | rename XX_3 as IP | rex "W+s+(?d{1,3}.d{1,3}.d{1,3}.d{1,3}[^s+W+s+])" | rex "comings+froms+(?d*D*w*)" | rex "XXXs+XXXs+(?d{1,3}.d{1,3}.d{1,3}.d{1,3})" | rex "W(?d{1,3}.d{1,3}.d{1,3}.d{1,3}[^,])" | rename IPAddress as IP | rename XX_4 as IP | iplocation IP | stats count values(index) by Country

Any chance that this can only be done in later versions of Splunk? I am currently on 4.3.3 using Enterprise Security on 2.0.2. When I search for this: index=indexa sourcetype=sourcea [search index=indexb sourcetype=sourceb] The search is forever ongoing even though I am only searching for the past 5 minutes.

When I search for this: index=indexa OR index=indexb source=sourceb It works but it will not return the results I require.

Thanks somesoni2, I will test and reply in soon.

Hi

How would the query look if i have more that 10 index's to search for?

Kishore