https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488895#M136545 <P>I have two query...</P> <PRE><CODE>index=xxx_prod host="foo.org" 5032 submit | rex "id=PO:(?&lt;PO&gt;\d*)" | dedup PO | table PO _time index=xxx_prod host="bar.org" | rex "savePO.*POId=(?&lt;PO&gt;\d*).*\"responseCode\":200" | dedup PO | table PO _time </CODE></PRE> <P>I want to compare both PO results from different services one is submitted, another one is saved. and I want to show as the following table</P> <PRE><CODE> PO | submit_date | save_date | elapse_time_min | isSave 1000001 | 2020-01-18 02:09:49.022 | 2020-01-18 02:51:51.289 | 41 | true 1000002 | 2020-01-18 03:18:25.780 | 2020-01-18 03:59:08.695 | 49 | true 1000003 | 2020-01-18 03:18:25.780 | | | false </CODE></PRE> <P>How can I do that?</P> Sat, 18 Jan 2020 12:05:18 GMT x_tivity 2020-01-18T12:05:18Z https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488895#M136545 <P>I have two query...</P> <PRE><CODE>index=xxx_prod host="foo.org" 5032 submit | rex "id=PO:(?&lt;PO&gt;\d*)" | dedup PO | table PO _time index=xxx_prod host="bar.org" | rex "savePO.*POId=(?&lt;PO&gt;\d*).*\"responseCode\":200" | dedup PO | table PO _time </CODE></PRE> <P>I want to compare both PO results from different services one is submitted, another one is saved. and I want to show as the following table</P> <PRE><CODE> PO | submit_date | save_date | elapse_time_min | isSave 1000001 | 2020-01-18 02:09:49.022 | 2020-01-18 02:51:51.289 | 41 | true 1000002 | 2020-01-18 03:18:25.780 | 2020-01-18 03:59:08.695 | 49 | true 1000003 | 2020-01-18 03:18:25.780 | | | false </CODE></PRE> <P>How can I do that?</P> Sat, 18 Jan 2020 12:05:18 GMT https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488895#M136545 x_tivity 2020-01-18T12:05:18Z https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488896#M136546 <P>Show us some sample events from each sourcetype.</P> Sat, 18 Jan 2020 19:28:37 GMT https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488896#M136546 woodcock 2020-01-18T19:28:37Z https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488897#M136547 <PRE><CODE>index=xxx_prod (host="foo.org" 5032 submit) OR (host="bar.org") | rex "id=PO:(?&lt;submit_PO&gt;\d*)" | rex "savePO.*POId=(?&lt;save_PO&gt;\d*).*\"responseCode\":200" | eval PO=coalesce(submit_PO,save_PO) | eval flag=if(searchmatch("savePO"),"save","submit") | stats earliest(eval(if(flag="submit",_time,NULL))) as submit_date latest(eval(if(flag="save",_time,NULL))) as save_date by PO | eval elapse_time_min=round(save_date - submit_date / 60) | eval isSave=if(isnull(elapse_time_min),"false","true") | table PO submit_date save_date elapse_time_min isSave | foreach *date [eval &lt;&lt;FIELD&gt;&gt;=strftime(&lt;&lt;FIELD&gt;&gt;,"%F %T.%3Q")] </CODE></PRE> <P>Hi, <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/36202">@x_tivity</a><BR /> It would be a little easier if <EM>save</EM> and <EM>submit</EM> were determined by the host name.<BR /> Since I don't know the actual log,<BR /> First time for <EM>submit</EM> and Last time for <EM>save</EM> are counted.<BR /> how about this</P> Wed, 30 Sep 2020 03:45:24 GMT https://community.splunk.com/t5/Splunk-Search/join-two-rex-results-from-different-host-and-query/m-p/488897#M136547 to4kawa 2020-09-30T03:45:24Z