Search: Join / Multisearch

Add fields from another index to my search

In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.
"Field1" from "index1" hast the same value as "field1_index2" from "index2"

Goal: Adding "field2_index2" from "index2" to the main-search of "index1"

Fields of Index1:

• field1
• field2
• field3

Fields of Index2:

• field1_index2
• field2_index2

Splunk-Search

index=index1
| sort field1 DESC
| join type=left field1 [search index=index2 ealiest=-1d | rename field1_index2 AS field1 | fields field1, field2_index2]
| table field1, field2, field3, field2_index2

index=adm_hyperveventcollector "System.Channel"="Microsoft-Windows-Hyper-V-VMMS-Admin" ("System.EventID"=20415 OR "System.EventID"=20413 OR "System.EventID"=20417) | rename "System.Execution.@ThreadID" AS ThreadID | rename "System.Execution.@ProcessID" AS ProcessID | rename "UserData.VmlEventLog.Parameter0" AS VM | rename "UserData.VmlEventLog.Parameter1" AS VM-ID | rename "System.Computer" AS Source | transaction ThreadID, VM-ID mvlist="UserData.VmlEventLog.Parameter2" startswith="initiated the live migration of" endswith="successfully completed the live migration" | eval Destination=mvindex('UserData.VmlEventLog.Parameter2',0) | eval BlackoutTime=mvindex('UserData.VmlEventLog.Parameter2',1) | eval time="System.TimeCreated.@SystemTime" | eval EndTime=_time+duration | eval StartTime=_time | convert timeformat="%d.%m.%y %H:%M:%S.%f" ctime(StartTime) | convert timeformat="%d.%m.%y %H:%M:%S.%f" ctime(EndTime) | where eventcount=2 | sort EndTime DESC | join type=left Destination [search index=adm_compute_qcheck earliest=-1d | rename *.* as ** | rename *{}* as ** | rename *{}* as ** | rename source AS Destination | fields Destination, ClusterName ]