Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

combining two indexes together in one search

awedmondson
Explorer
‎12-13-2014 08:27 AM

Index 1
event with text "log-off" in the event
event with text log-on" in the event
event with field A, field B.
event with field B, field C
event with "log-off" in the event
event with "log-on" in the event

index 2
event with field A and field D

Search
I need to join the events to get an event with fields A, B C & D and which returns
logon and logoff time.
The events occur within 1 minute of each other.

I have tried to start off with something like..
index=1 A AND B AND C "log-on" AND "lof-off" | transaction A [search index=2 A AND D] | startswith "log-on"endswith "log-off"

How can I add iD into the search?

thanks

Tags (2)
0 Karma
Reply

lguinn2
Legend
‎12-13-2014 02:51 PM

Try this for starters

(index=1 A=8 OR B=* OR C=* OR "log-on" OR "log-off") OR (index=2 A=* AND D=*)
| transaction A B startswith="log-on" endswith="log-off"

And definitely read the answer that @martin_mueller suggests!

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-13-2014 08:38 AM

I second that comment by @martin_mueller 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...