combine 2 index with one common field

anhtran · ‎05-01-2015

Hello

i have index=sqltem with the sourcetype=temp-log with the following field : starttime, endtime, user_id, dbname, instruments_processed, inst_skipped, error_nums

Then I have another index=jobinfo with the sourcetype=jobinfo with the field
jobid
user_id
database
status
jobstarttime
jobfinishtime

As you see only user_id is a common field.

I would like to have a table that will show the all the fields on both index. How can I do that?

Thank you very much.

fdi01 · ‎05-01-2015

try :

index=sqltem sourcetype=temp-log |join user_id  [search index=jobinfo  sourcetype=jobinfo ] |table  starttime  endtime  user_id  dbname  instruments_processed inst_skipped  error_nums jobid database status jobstarttime jobfinishtime

or

index=sqltem|jobinfo  |table  starttime  endtime  user_id  dbname  instruments_processed inst_skipped  error_nums jobid database status jobstarttime jobfinishtime

stephane_cyrill · ‎05-01-2015

HI try this:

index=sqltem OR index=jobinfo|table starttime, endtime, user_id,
dbname, instruments_processed, inst_skipped,
error_nums,jobid,user_id,database,status,jobstarttime,jobfinishtime

YOU CAN USE ......|fields ........ AT THE PLACE OF ........|table........

combine 2 index with one common field

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

combine 2 index with one common field

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases