I would use split and mvindex instead of rex: | eval sourcePort=if(group=one,mvindex(split(sourcePort,"."),0),sourcePort) ... View more

If you use join, you will have to join twice, first to get the type of the sending host and secondly to get the type of the receiving host. You can also do it with some fiddly eventstats. Here is a pseudo example of using eventstats  | makeresults count=20 | eval hostname="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), random() % 26) | eval host="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), random() % 26) | eval destPort=mvindex(split("9995,9996,9997", ","), random() % 3) | append [ | makeresults count=26 | streamstats c | eval splunkname="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), c - 1) | eval type=mvindex(split("Intermediate Forwarder,Indexer", ","), random() % 2) | fields - c ] ``` The above sets up a data set of 20 rows of send/receive events and the append makes the 'library' of the 26 possible host types. Now this logic will 'join' the types to the events ``` | eval host=coalesce(host, splunkname) | eval hostname=coalesce(hostname, splunkname) ``` join the type to receiving host ``` | eventstats values(type) as receivingType by host ``` join the type to sending hostname ``` | eventstats values(type) as sendingType by hostname | where isnotnull(destPort) | stats values(destPort) as destPorts by sendingType receivingType and a similar example using a double join | makeresults count=20 | eval hostname="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), random() % 26) | eval host="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), random() % 26) | eval destPort=mvindex(split("9995,9996,9997", ","), random() % 3) | join hostname [ | makeresults count=26 | streamstats c | eval splunkname="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), c - 1) | eval type=mvindex(split("Intermediate Forwarder,Indexer", ","), random() % 2) | fields - c | rename splunkname as hostname ] | rename type as sendingType | join host [ | makeresults count=26 | streamstats c | eval splunkname="host-".mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ", ""), c - 1) | eval type=mvindex(split("Intermediate Forwarder,Indexer", ","), random() % 2) | fields - c | rename splunkname as host ] | rename type as receivingType | fields - _time | stats values(destPort) as destPorts by sendingType receivingType Note that both of these involve append or join, which are not the best commands to use, as they can have subsearch data limitations. ... View more

Hi @erikschubert, you have to use eval if: index="index1" group=a) OR (index="index2" group=a).... | eval splunkname=if(index=indexB,host, splunkname) you said that splunkname is equal to host for the second search but you didn't specified what's the value of splunkname for the first search, I supposed that there's this field, anyway take the approach to the problem and the general solution. Ciao. Giuseppe ... View more

Avoid join in Splunk where possible - it has limitations and is not really the Splunk way to do things, as joining can easily be done with stats search <dataset_1> OR <dataset_2> | eval host=if(index=dataset_1, hostname, host) | stats values(destPort) as ports values(os) as os by host | stats values(ports) as ports by os Assuming that there is only 1 os per host, then the first stats will give all the ports for the host along with its os and then the second stats will give all the ports by os.   ... View more