Index1 with fields (name, "team id", surName)
Index2 with fields (userId, correlationId, operation)
Questions1: I want to join two indexes which are having completely different sets of information. There is a joining field but the field names are not unique but the values are same
both name and userId's holding the same set of values. e.g name=John, userId=John
How do I combine these two indexes by name and userId fields to get results from both indexes
Question2:
we have created two form fields in splunk dashboard. one is "userId" and second one is "team id". "team id" is available only in Index1 and userId is available in Index2. As I mentioned in the question1, the only joining condition is using name and userId.
Please suggest best search query to combine the indexes filtered by "team id" and userId
Answering to Somesoni2, Ayn
Thanks a lot for your quick responses. Please find the sample logs from the index1 and index2. There are lot more fields in addition to the one I mentioned but I am not in a position to reveal them as they are sensitive.
Index1
2014-08-10 21:34:12,558 INFO TeamReportImpl - {name=John, "team id"=Team 1, surname=Wright}
Index 2
2014-08-10 22:24:11,668 INFO OperationReportImpl - {userId=John operation=Create,
correlationId=021C0E78-65D2-AF4F38A93D7E}
The requirement is, we have dashboard with three fields,
1. Date range
2. officer name
3. team drop down
I have to create several panel to display Total counts. e.g
4. Total count of Create operation
5. Total count of correlation id by team (even though the team is not provided in index2)
thanks again for prompt response
... View more