Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search different index

splunkcol
Builder
‎07-16-2021 08:31 AM

 

I have 3 different indexes and they asked me to search by document number.

The structure of the logs is different including the name of the field that contains the document number

index = index1 OR index = index2 OR index = index3 1234567

As you know, that query is limited to looking for the number 1234567

I can't tell it to show certain fields in a table using table or stats count.

Any suggestion?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2021 08:37 AM

Hi @splunkcol,

i the name of the field in the three indexes is number1, numer2 and number3

You could use a search like this:

index = index1 OR index = index2 OR index = index3 
| eval number=coalesce(number1, number2, number3)
| where number=1234567
| ...

With this approach you can also correlate the three indexes taking data from all the indexes.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-16-2021 09:02 AM

@splunkcol 

If you know the document number filed name from each index then you can try this also.

(index=index1 document_number_Field1="1234567") OR (index=index2 document_number_Field2="1234567") OR (index=index3 document_number_Field3="1234567")
 | eval document_number = coalesce(document_number_Field1,document_number_Field2,document_number_Field3)
| .
.
.

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2021 08:37 AM

Hi @splunkcol,

i the name of the field in the three indexes is number1, numer2 and number3

You could use a search like this:

index = index1 OR index = index2 OR index = index3 
| eval number=coalesce(number1, number2, number3)
| where number=1234567
| ...

With this approach you can also correlate the three indexes taking data from all the indexes.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...