https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451950#M127976 <P>Like this:</P> <PRE><CODE>(index=main AND source=os) OR (index=patch AND sourcetype=csv | eval ComputerName=coalesce(ComputerName, extracted_Host) | stats dc(index) AS index_count dc(BuildNumber) AS BuildNumber_count dc(patchlevel) AS patchlevel_count BY ComputerName | where index_count &gt; 1 AND BuildNumber_count != patchlevel_count </CODE></PRE> Fri, 05 Jul 2019 23:11:54 GMT woodcock 2019-07-05T23:11:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451944#M127970 <P>Hi all, I'd be grateful if you could help me with this. I have read other similar questions but none of them seem to solve the problem.</P> <P>I have two searches:<BR /> <STRONG>Search 1:</STRONG> <CODE>index=main source=os</CODE> <BR /> <STRONG>Search 2:</STRONG> <CODE>index=patch sourcetype=csv</CODE></P> <P>In search 1, there is a field that has workstation IDs, and the field is called 'ComputerName'<BR /> In search 2, the same field exists but the name is 'extracted_Hosts'</P> <P>So what I want to do is look at both searches and get workstation IDs that exist in <STRONG>both</STRONG>, and then use these events to pipe into another function.</P> <P>Example:<BR /> Search 1: index=main source=os | stats values(ComputerName)<BR /> Result: <BR /> <STRONG>W123456</STRONG><BR /> <STRONG>W789123</STRONG><BR /> W456789<BR /> W123321<BR /> <STRONG>W789987</STRONG></P> <P>Actual number of results is 30,271</P> <P>Search 2: index=patch sourcetype=csv | stats values(extracted_Host)<BR /> <STRONG>W123456</STRONG><BR /> W154658<BR /> <STRONG>W789123</STRONG><BR /> W546589<BR /> <STRONG>W789987</STRONG></P> <P>Actual number of results is 18,672</P> <P>So the output I want is:<BR /> <STRONG>W123456</STRONG><BR /> <STRONG>W789123</STRONG><BR /> <STRONG>W789987</STRONG></P> <P>Your help is much appreciated!</P> <HR /> <P>Here is what I want to do with the data, grateful if you can help with this but I think I need to figure out the above before that.</P> <P>The search 1 (source=os) has a field called 'BuildNumber' which refers to the Windows 10 build version. The search 2 (index=patch) has a field called 'patchlevel' which is the same as 'BuildNumber', but they are different numbers, so for example a version of Windows 10 could have BuildNumber = 1703 and patchlevel = 15063. <STRONG>I want to use the data from the previous search which gives me the workstations that are common in both sources, and then get a count of each Build Number and patch level, and see if there is any discrepancy.</STRONG> </P> <P>Hope I've explained this well enough, let me know if I haven't! Thanks again. </P> Fri, 28 Jun 2019 08:50:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451944#M127970 xiantros 2019-06-28T08:50:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451945#M127971 <P>See if this gets you close to what you want.</P> <PRE><CODE>(index=main source=os) OR (index=patch sourcetype=csv) | eval computer = coalesce(ComputerName, extracted_Host) | stats values(BuildNumber) as BuildNumbers, values(patchlevel) as patchlevels by computer </CODE></PRE> Fri, 28 Jun 2019 12:35:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451945#M127971 richgalloway 2019-06-28T12:35:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451946#M127972 <P>Thanks for your answer. Correct me if I'm wrong but seems to put all values in 'ComputerName' and 'extracted_Host' fields into one field called 'computer'? I want to make sure that the values I get exist are in both fields, and I don't want any value that exists in only one field.. </P> Fri, 28 Jun 2019 13:27:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451946#M127972 xiantros 2019-06-28T13:27:38Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451947#M127973 <P>ComputerName and extracted_Host are not present in both indexes so we can't select events that have both.<BR /> The <CODE>coalesce</CODE> function, however, creates a new field that contains the value of either ComputerName or extracted_Host, whichever is not null. That allows the <CODE>stats</CODE> function to match up the two indexes and produce the desired results.</P> Wed, 30 Sep 2020 01:08:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451947#M127973 richgalloway 2020-09-30T01:08:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451948#M127974 <P>Ok so in this case let's say index 'main' has values in ComputerName as a, b, d, e and index 'patch' has values for extracted_Host as a, b, c, f. Is the field created by <CODE>coalesce</CODE> function going to give me a, b, c, ,d e, f or a, b ?</P> <P>I want the result to be a, b as they are the common values that exist in both.</P> Sat, 29 Jun 2019 09:00:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451948#M127974 xiantros 2019-06-29T09:00:42Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451949#M127975 <P>The <CODE>coalesce</CODE> function returns a single value that is the first of its arguments which is not null.<BR /> Keep in mind the function operates on one event at a time so it will only see one value for ComputerName and one value for extracted_Host.</P> Tue, 02 Jul 2019 12:56:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451949#M127975 richgalloway 2019-07-02T12:56:02Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451950#M127976 <P>Like this:</P> <PRE><CODE>(index=main AND source=os) OR (index=patch AND sourcetype=csv | eval ComputerName=coalesce(ComputerName, extracted_Host) | stats dc(index) AS index_count dc(BuildNumber) AS BuildNumber_count dc(patchlevel) AS patchlevel_count BY ComputerName | where index_count &gt; 1 AND BuildNumber_count != patchlevel_count </CODE></PRE> Fri, 05 Jul 2019 23:11:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451950#M127976 woodcock 2019-07-05T23:11:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451951#M127977 <P>@xiantros, does it solve your problem?</P> Tue, 08 Oct 2019 07:56:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-common-values-in-two-different-fields-in-two/m-p/451951#M127977 ankitkanchan 2019-10-08T07:56:24Z