Solved: When searching two indexes, how do i refer to a fi...

khubyarb · ‎07-06-2016

My search is on two indexes. I want to be able to refer specifically to a field value from one of the indexes and not the other. Both indexes have the field that share the same field name. For example:

search index=indexA OR index=indexB | eval unique1= indexA.ID | eval unique = indexB.ID | ....

I cannot use subsearch because my result set of the subsearch would be over the limit of results subsearch returns so I need to be searching both indexes at the same time. Would appreciate any help.

javiergn · ‎07-06-2016

You can do it this way:

search index=indexA OR index=indexB 
| eval unique-{index}= ID

Which in your case it will create two fields: unique-indexA and unique-indexB

View solution in original post

javiergn · ‎07-06-2016

You can do it this way:

search index=indexA OR index=indexB 
| eval unique-{index}= ID

Which in your case it will create two fields: unique-indexA and unique-indexB

khubyarb · ‎07-08-2016

Follow up question: in the statement
|eval unique-{index} = ID
The value of unique-indexA should contain the IDs from only indexA right?

javiergn · ‎07-11-2016

Yes, that's correct.

You can do similar things with any other field.
Another common one is to use it when fetching data from multiple sourcetypes:

sourcetype=A OR sourcetype=B
| eval mycommonfield-{sourcetype} = mycommonfield

khubyarb · ‎07-06-2016

Thanks a lot @javiergn! This should work great for my use case!

When searching two indexes, how do i refer to a field from a specific index?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!