https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421332#M7388 <P>I don;t know what's eval command I need to here but I like to make SPL like before</P> <P>sourcetype A , field_a(requestid) field_a2 , field_a3 ,field_a4</P> <P>sourcetype B, field_b(requestid) field_b2, field_b3, filed_b4</P> <P>(what kind of eval or join i need to use here ) ?????</P> <P>where field_a(requestid)=field_b(requestid)</P> <P>table field_a(requestid) field_b(requestid) field_a3 ,field_a4 ,filed_b4 </P> Tue, 29 Sep 2020 19:42:32 GMT diag 2020-09-29T19:42:32Z https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421332#M7388 <P>I don;t know what's eval command I need to here but I like to make SPL like before</P> <P>sourcetype A , field_a(requestid) field_a2 , field_a3 ,field_a4</P> <P>sourcetype B, field_b(requestid) field_b2, field_b3, filed_b4</P> <P>(what kind of eval or join i need to use here ) ?????</P> <P>where field_a(requestid)=field_b(requestid)</P> <P>table field_a(requestid) field_b(requestid) field_a3 ,field_a4 ,filed_b4 </P> Tue, 29 Sep 2020 19:42:32 GMT https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421332#M7388 diag 2020-09-29T19:42:32Z https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421333#M7389 <P>Try this!</P> <PRE><CODE>(sourcetype=sourcetype A OR sourcetype=sourcetype B) |eval key=if(sourcetype=sourcetype A, field_a, field_b) |stats earliest(*) as * by key |table field_a,field_b,field_a3 ,field_a4 ,filed_b4 </CODE></PRE> Mon, 28 May 2018 11:44:30 GMT https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421333#M7389 HiroshiSatoh 2018-05-28T11:44:30Z https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421334#M7390 <P>Hi @diag ,</P> <P>Can you please try following search?</P> <PRE><CODE>(sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*) | eval requestid=if(isnotnull(field_a),field_a,field_b) | stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid | where field_a = field_b </CODE></PRE> <P>This is my sample search</P> <PRE><CODE>| makeresults | eval sourcetype="A",field_a="1,2,3,4",field_a2="a2",field_a3="a3", field_a4="a4" | eval field_a=split(field_a,",") | mvexpand field_a | append [| makeresults | eval sourcetype="B",field_b="1,2,3",field_b2="b2",field_b3="b3", field_b4="b4" | eval field_b=split(field_b,",") | mvexpand field_b] | eval comment="Above search is for data generation. Use from below search" | search (sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*) | eval requestid=if(isnotnull(field_a),field_a,field_b) | stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid | where field_a = field_b </CODE></PRE> <P>Thanks</P> Mon, 28 May 2018 11:54:41 GMT https://community.splunk.com/t5/Splunk-Dev/search-same-requestid-from-different-sources-and-fileds/m-p/421334#M7390 kamlesh_vaghela 2018-05-28T11:54:41Z