combining two indexes together in one search

awedmondson · ‎12-13-2014

Index 1
event with text "log-off" in the event
event with text log-on" in the event
event with field A, field B.
event with field B, field C
event with "log-off" in the event
event with "log-on" in the event

index 2
event with field A and field D

Search
I need to join the events to get an event with fields A, B C & D and which returns
logon and logoff time.
The events occur within 1 minute of each other.

I have tried to start off with something like..
index=1 A AND B AND C "log-on" AND "lof-off" | transaction A [search index=2 A AND D] | startswith "log-on"endswith "log-off"

How can I add iD into the search?

thanks

lguinn2 · ‎12-13-2014

Try this for starters

(index=1 A=8 OR B=* OR C=* OR "log-on" OR "log-off") OR (index=2 A=* AND D=*)
| transaction A B startswith="log-on" endswith="log-off"

And definitely read the answer that @martin_mueller suggests!

martin_mueller · ‎12-13-2014

Do read this: http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

MuS · ‎12-13-2014

I second that comment by @martin_mueller 😉

combining two indexes together in one search

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor