The join command is an inefficient way to combine datasets.  Alternative commands are described in the Search Reference manual (https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Join#Alternative_commands). Splunk has a manual for SQL users.  See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SQLtoSplunk

For your requirement, left join may not be ideal. Try this alternate implementation (replace make results query with your lookup/data query): | makeresults | eval DatabaseName=split("A B C"," ") | mvexpand DatabaseName | table DatabaseName | eval from="Lookup" | append [| makeresults | eval DatabaseName=split("A A1 10#A A2 20#C C1 40#C C2 50#D D 60","#") | mvexpand DatabaseName | table DatabaseName | rex field=DatabaseName "^(?<DatabaseName>\S+)\s+(?<Instance>\S+)\s+(?<CPUUtilization>\S+)$" | eval from="search"] | eventstats values(from) as from by DatabaseName | where isnotnull(mvfilter(match(from,"Lookup"))) | foreach CPUUtilization Instance [| eval "<<FIELD>>"=coalesce('<<FIELD>>',if(mvcount(from)=1 AND from="Lookup","NULL",null()))] | stats count by DatabaseName CPUUtilization Instance | table DatabaseName CPUUtilization Instance

What sorts of results are you trying to post as a note? You can plug just about anything you want into a utility block calling the add note function. You can insert a format block just before the note block and use its formatted_data (not formatted_data.*) output to make it look nicer or combine info from different sources.

Above is the event, not sure why this is showing up as two different events. Anyways, I have written a splunk query according to my requirements but output is not good.  I want to get rid of Service and Maintenance Start time in MST. Let me summarize the use case: You have ONE single log, Mon Oct 16 07:29:46 MST 2023 MIME-Version: 1.0 Content-Disposition: inline Subject: INFO - Services are in Maintenance Mode over 2hours -- AtWork-CIW-E1 Content-Type: text/html <font size=3 color=black>Hi Team,</br></br>Pleasefind below servers which are in maintenance mode for more than 2 hours; </br></br></font> <tableborder=2> <TR bgcolor=#D6EAF8><TH colspan=2>Cluster Name: AtWork-CIW-E1</TH></TR> <TRbgcolor=#D6EAF8><TH colspan=1>Service</TH><TH colspan=1>Maintenance Start Time inMST</TH></TR> <TR bgcolor=#FFB6C1><TH colspan=1>oozie</TH><TH colspan=1>Mon Oct 16 07:29:46 MST 2023</TH></TR> </table> <font size=3 color=black></br> ScriptPath:/amex/ansible/maintenance_mode_service</font> <font size=3 color=black></br></br>Thankyou,</br>BDP Spark Support Team</font> But Splunk indexer gives you TWO events (with different time values) Mon Oct 16 07:31:53 MST 2023 MIME-Version: 1.0 Content-Disposition: inline Subject: INFO - Services are in Maintenance Mode over 2hours -- AtWork-CIW-E1 Content-Type: text/html <font size=3 color=black>Hi Team,</br></br>Pleasefind below servers which are in maintenance mode for more than 2 hours; </br></br></font> <tableborder=2> <TR bgcolor=#D6EAF8><TH colspan=2>Cluster Name: AtWork-CIW-E1</TH></TR> <TRbgcolor=#D6EAF8><TH colspan=1>Service</TH><TH colspan=1>Maintenance Start Time inMST</TH></TR> Mon Oct 16 07:29:46 MST 2023 <TR bgcolor=#FFB6C1><TH colspan=1>oozie</TH><TH colspan=1>Mon Oct 16 07:29:46 MST2023</TH></TR> </table> <font size=3 color=black></br> ScriptPath:/amex/ansible/maintenance_mode_service</font> <font size=3 color=black></br></br>Thankyou,</br>BDP Spark Support Team</font> You want to use search command to combine data in these two into one table row.  Is this correct? Most importantly, you have a line break problem in ingestion.  This is where you really need to fix.  By default, Splunk has the habit of hunting for timestamp and use it as a clue that a new event exists.  This is why the "second" event has the time Mon Oct 16 07:29:46 MST 2023 which is actually the maintenance start time, not the time of log which should be later, namely Mon Oct 16 07:31:53 MST 2023.  If you do not fix line break problem, there is no end to troubles down the road no matter how many clever ways you can devise to work around it. This said, it is possible to work around this particular log by restoring the complete log using transaction. (Warning: The workaround may break other things.) Second, try not to capture everything by counting word breaks or even HTML tags.  HTML is really the worst enemy of Splunk because HTML's semantics is totally separate from semantics of content.  Always try to anchor regex on 1) content semantics, 2) HTML semantics.  Here is a proposal   | transaction startswith="Script Path" endswith="MIME-Version" | eval _time = _time + duration ``` restore actual event time; this may not be of interest ``` | rex "Cluster Name:\s*(?<ClusterName>[^<]+)" | rex "<TR[^>]*><TH[^>]*>(?<Service>[^<]+)<\/TH><TH[^>]*>(?<MaintenanceStartTime>[^<]+)" | table ClusterName Service MaintenanceStartTime   The two events should give you ClusterName Service MaintenanceStartTime AtWork-CIW-E1 oozie Mon Oct 16 07:29:46 MST 2023 Here is the emulation that you can play with and compare with real data   | makeresults | eval data=split("MIME-Version: 1.0 Content-Disposition: inline Subject: INFO - Services are in Maintenance Mode over 2 hours -- AtWork-CIW-E1 Content-Type: text/html <font size=3 color=black>Hi Team,</br></br>Please find below servers which are in maintenance mode for more than 2 hours; </br></br></font> <table border=2> <TR bgcolor=#D6EAF8><TH colspan=2>Cluster Name: AtWork-CIW-E1</TH></TR> <TR bgcolor=#D6EAF8><TH colspan=1>Service</TH><TH colspan=1>Maintenance Start Time in MST</TH></TR> <TR bgcolor=#FFB6C1><TH colspan=1>oozie</TH><TH colspan=1>Mon Oct 16 07:29:46 MST 2023</TH></TR> </table> <font size=3 color=black></br> Script Path:/amex/ansible/maintenance_mode_service</font> <font size=3 color=black></br></br>Thank you,</br>BDP Spark Support Team</font>", " ") | mvexpand data | eval _time = if(match(data, "Mon Oct 16 07:29:46 MST 2023"), strptime("Mon Oct 16 07:29:46 MST 2023", "%a %b %d %H:%M:%S %Z %Y"), strptime("Mon Oct 16 07:31:53 MST 2023", "%a %b %d %H:%M:%S %Z %Y")) | rename data AS _raw ``` data emulation above ```   Do not forget: Your most important task is to fix line breaks. (There are many guides in Splunk documents, and various answers in this forum.)

I would be cautious to anchor regex as closely as the data is regular.  Something like   | rex field=source "\\\t4\\\(apch\\\node|logs)\\\(?<node>[^-\\\\]+)"   This should give node source node06 E:\view\int\t4\apch\node\node06\log\server.log node06 E:\view\int\t4\apch\node\node06\log\run.log node03 E:\view\int\t4\apch\node\node03\log\server.log node01 E:\view\int\t4\apch\node\node01\log\server.log node01 E:\view\int\t4\apch\node\node01\log\run.log core02 E:\view\int\t4\logs\core02-core.log web37 E:\view\int\t4\logs\web37-wfmws.log core01 E:\view\int\t4\logs\core01-core.log You can play with the emulation @ITWhisperer offered and compare with real data.   | makeresults format=csv data="source E:\view\int\t4\apch\node\node06\log\server.log E:\view\int\t4\apch\node\node06\log\run.log E:\view\int\t4\apch\node\node03\log\server.log E:\view\int\t4\apch\node\node01\log\server.log E:\view\int\t4\apch\node\node01\log\run.log E:\view\int\t4\logs\core02-core.log E:\view\int\t4\logs\web37-wfmws.log E:\view\int\t4\logs\core01-core.log" ``` data emulation above ```      

I don't think there is a way to do that in a single search. After all you are looking for specific events (search one) and then trying to expand around each of those events (searches 2+). There is the map command which technically isn't a single search as it runs once for each event up to the maxsearches values. That's really not a great solution as it could easily end up running hundreds of searches to actually be useful with terrible performance. You could reduce the maxsearches but then you would not get data for each event in the base search. The best way I can think to do it would be a dashboard with a base search and drilldowns that pass values to a second search to get more detailed information.

Here is a runanywhere example showing it working | makeresults format=csv data="source E:\view\int\t4\apch\node\node06\log\server.log E:\view\int\t4\apch\node\node06\log\run.log E:\view\int\t4\apch\node\node03\log\server.log E:\view\int\t4\apch\node\node01\log\server.log E:\view\int\t4\apch\node\node01\log\run.log E:\view\int\t4\logs\core02-core.log E:\view\int\t4\logs\web37-wfmws.log E:\view\int\t4\logs\core01-core.log" | rex field=source "^([^\\\\]+\\\\){5}(?<node>[^-]+)" | rex field=source "^([^\\\\]+\\\\){6}(?<node>[^\\\\]+)" Note if these different formats for source are used in the same search then the order is significant, otherwise just use the relevant rex pertaining to the source name format

I go with the default indexing of raw. However, I had to change my output from key1=value1,key2=value2,key3=value3 (no space after comma) into key1=value1, key2=value2, key3=value3 (space after comma)