Hi, I'm wondering if it's possible to do an outer/left join two tables on two fields. I have two indexes with the following data: Index1: col1 col2 123 abc 456 def Index2: col1 col2 col3 123 abc xyz Desired results: col1 col2 col3 123 abc xyz 456 def Here's my search: index=index1 |join type=outer col1, col2 [search index=index2 |fields col1, col2, col3] |table col1, col2, col3 The results I get are inconsistent. It seems almost as if Splunk is going the outer join on the two columns independently, so I get more results than I need. If I remove the "type=outer", making it an inner join, I get the below results, so I know the join works for the inner: col1 col2 col3 123 abc xyz Thanks, AP ... View more

Hi, I'm having an issue where my Splunk audit.log from the UF is not being forwarded to my Splunk Cloud instance. My environment is as follows: 1x Universal Forwarder -> 2x Intermediate Forwarder -> 4x Cloud Indexers My default\outputs.conf is as follows: forwardedindex.0.whitelist = .* forwardedindex.1.blacklist = _.* forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry) forwardedindex.filter.disable = false indexAndForward = false My local/outputs.conf is as follows: [tcpout:default-autolb-group] server = my ip's here forwardedindex.filter.disable = true forwardedindex.2.whitelist = (_audit) I ran the splunk.exe list monitor command and it shows the file being monitored, however, i don't see the logs showing up in my _audit log in the cloud. Is that the right index the audit.log should appear in? I even tried to set up a separate inputs entry to monitor that file to no avail. Any thoughts on how I could troubleshoot this issue? ... View more