https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446872#M126736 <P>try this:</P> <PRE><CODE>(index=rap sourcetype="joyner lucas" albums=*) OR (index=country sourcetype="lil Nas" songs=*) | eval check_match = coalesce(albums,songs) | stats count by check_match | where count &gt; 1 </CODE></PRE> <P>here is an example to try anywhere:</P> <PRE><CODE>| makeresults count=1 | eval data = "x,y,z,123;;;x,y,z,124;;;x,y,z,125;;;x,y,z,126;;;a,b,c,123;;;a,b,c,134;;;a,b,c,125;;;a,b,c,136" | makemv delim=";;;" data | mvexpand data | rex field=data "(?&lt;idx&gt;[^\,]+)\,(?&lt;st&gt;[^\,]+)\,(?&lt;letter&gt;[^\,]+)\,(?&lt;number&gt;.+)" | eval album = if(idx=="x",number,null()) | eval song = if(idx="a",number,null()) | table idx st album song | rename COMMENT as "the above generates data below is the solution" | search (idx=x st=y album=*) OR (idx=a st=b song=*) | eval check_match = coalesce(album,song) | stats count by check_match | where count &gt; 1 </CODE></PRE> <P>hope it helps</P> Sat, 04 May 2019 00:30:57 GMT adonio 2019-05-04T00:30:57Z https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446870#M126734 <P>index=rap sourcetype="joyner lucas"<BR /> | dedup albums| table albums<BR /> |append [search index=country sourcetype="lil Nas"<BR /> |dedup songs| table songs]</P> Fri, 03 May 2019 21:58:27 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446870#M126734 atl215 2019-05-03T21:58:27Z https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446871#M126735 <P>I would like to list the values that match</P> Fri, 03 May 2019 21:59:31 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446871#M126735 atl215 2019-05-03T21:59:31Z https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446872#M126736 <P>try this:</P> <PRE><CODE>(index=rap sourcetype="joyner lucas" albums=*) OR (index=country sourcetype="lil Nas" songs=*) | eval check_match = coalesce(albums,songs) | stats count by check_match | where count &gt; 1 </CODE></PRE> <P>here is an example to try anywhere:</P> <PRE><CODE>| makeresults count=1 | eval data = "x,y,z,123;;;x,y,z,124;;;x,y,z,125;;;x,y,z,126;;;a,b,c,123;;;a,b,c,134;;;a,b,c,125;;;a,b,c,136" | makemv delim=";;;" data | mvexpand data | rex field=data "(?&lt;idx&gt;[^\,]+)\,(?&lt;st&gt;[^\,]+)\,(?&lt;letter&gt;[^\,]+)\,(?&lt;number&gt;.+)" | eval album = if(idx=="x",number,null()) | eval song = if(idx="a",number,null()) | table idx st album song | rename COMMENT as "the above generates data below is the solution" | search (idx=x st=y album=*) OR (idx=a st=b song=*) | eval check_match = coalesce(album,song) | stats count by check_match | where count &gt; 1 </CODE></PRE> <P>hope it helps</P> Sat, 04 May 2019 00:30:57 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446872#M126736 adonio 2019-05-04T00:30:57Z https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446873#M126737 <P>From this answer, how would I chart the matches of this search?</P> <PRE><CODE> (index=rap sourcetype="joyner lucas" albums=*) OR (index=country sourcetype="lil Nas" songs=*) | eval check_match = coalesce(albums,songs) | stats count by check_match | where count &gt; 1 </CODE></PRE> Mon, 06 May 2019 14:00:42 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-values-found-in-two-searches/m-p/446873#M126737 atl215 2019-05-06T14:00:42Z