I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST.
index=I1 ST=S1
index-I2 ST=S2, ST=S3,ST=S4,ST=S5
Sourcetype= S2 to S5 belongs to same Index=I2
Things I tried
#1
(index=I1 OR index=I2) (ST=S1 OR ST=S2 OR ST=S3)
|fields
Didnt worked
#2
|multisearch
[search index=I1 ST=S]
[search index=I2 (ST=S1 OR ST=S2 ...]
didnt worked
#3 |multisearch
[search index=I1 ST=S]
[search index=I2 ST=S2]
[search index=I2 ST=S3]
taking a lottt lottt time
What am i missing here.. what is the best approach to join two different index and one index having multiple Sourcetypes?
↧