Forums: SplunkGeneral: Multiple Indexes on single host and the ability to search against both in the same query

I know you can setup multiple indexes for different types of data, but can you search against both in the same search string?
Ex. I have syslog data being indexed in MAIN. I have a second set of data, Oracle logs that I would like to place in a seperate Index....call it Oracle. Can I search across both indexes at the same time so I can correlate system errors with the Oracle errors?

I was told last Fall that this would be something we could do in the future when Splunk rebuilt their search engine. I am not sure if we now have that ability.

When I test this functionality(index=main AND index=oracle), I get an error stating "index specified multiple times, using only 'main'" This would appear to be something we can not do yet. I would like to understand if/when we can expect this.

Regards.

At this time, it is not possible to search both indexes at once in this manner. It may work in our upcoming major 4.0 release, though I can't yet say for sure. I'd be happy to file an enhancement request for you. If you'd like me to do this, please let me know what company you're from, so I can file it properly (or submit via email to support@splunk.com and we can take it from there).

Thank you for following up. Please post this under Thomson Reuters.
Love to see it in v4.0 major release.

Regards.

Case 19833 has been filed as an enhancement request for you. It's associated with your account, so you should be able to see updates.

We would love this feature as well here at Telenor.

At Telenor we use 6-8 different indexes and at the same time we need to be able to narrow access for certain users only to few indexes.

At the moment we cannot setup Roles to narrow access to different indexes. Splunk will only allow to narrow down to 1 index. The only choice then is to provide 2 accounts for each user (one for each index) - which you probably understand is a rather peculiar solution.