Doing an join on two different indexes in Splunk

I know this in probably covered somewhere in some document or blog post or support site somewhere…….but I couldn’t find it. At least not a down and dirty simple way to start so here is my way to do it. Thanks to Maggie Kostiew for giving me the “search” parameter. The hard part was the “[ search” part. That was shown no where. So I hope this help some new guy like me somewhere.

index="device_list"
| table serialNumber, manufacturer, modelName, hardwareVersion, softwareVersion, wanAccessType, macAddress, pppUsername
| join inner serialNumber
    [search index="device_op" error=* | table serialNumber, error]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.