https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504464#M140847 <P>Is the difference always a prefix that ends with a hyphen?</P><P>Is the prefix always three characters?</P><P>Is the ID always 36 characters long?</P><P>If so, then use this-</P><LI-CODE lang="markup">| eval matchId=coalesce(id1,id2,id3) | eval matchId=substr(matchId,len(matchId)-35,36) </LI-CODE><P>&nbsp;</P> Mon, 15 Jun 2020 16:39:24 GMT DalJeanis 2020-06-15T16:39:24Z https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504344#M140845 <P>Hi All, I have query below that needs to modified for sub string matching condition -</P> <P><SPAN>splunk query:<BR /></SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup">sourcetype=source1 id1="*" OR sourcetype=source2 id2="*" OR sourcetype=source3 id2="*" Id=coalesce(id1,id2,id3) | stats count by Id sourcetype | xyseries Id sourcetype count | fillnull source1 source2 source3 value="Not exists" | table source1 source2 source3</LI-CODE> <P>&nbsp;</P> <P>when&nbsp;<BR />id1=F80C05F3-19AF-40D3-AC73-19544E928D21<BR /><SPAN>id2=XOP-</SPAN><SPAN>F80C05F3-19AF-40D3-AC73-19544E928D21<BR /></SPAN><SPAN>id3=ABC-</SPAN><SPAN>F80C05F3-19AF-40D3-AC73-19544E928D21</SPAN></P> <P><SPAN><BR />The query above needs to be modified for substring matching based on id1 existing in id2 or id3 and it needs to return the results, how can this query below be modified?</SPAN></P> Mon, 15 Jun 2020 19:32:16 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504344#M140845 msrama5 2020-06-15T19:32:16Z https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504462#M140846 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> any ideas on this ?</P><P>&nbsp;</P> Mon, 15 Jun 2020 16:23:52 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504462#M140846 msrama5 2020-06-15T16:23:52Z https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504464#M140847 <P>Is the difference always a prefix that ends with a hyphen?</P><P>Is the prefix always three characters?</P><P>Is the ID always 36 characters long?</P><P>If so, then use this-</P><LI-CODE lang="markup">| eval matchId=coalesce(id1,id2,id3) | eval matchId=substr(matchId,len(matchId)-35,36) </LI-CODE><P>&nbsp;</P> Mon, 15 Jun 2020 16:39:24 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504464#M140847 DalJeanis 2020-06-15T16:39:24Z https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504502#M140854 <LI-CODE lang="markup">(sourcetype=source1 id1="*") OR (sourcetype=source2 id2="*") OR (sourcetype=source3 id2="*") | eval Id=coalesce(id1,id2,id3) | eval ID=mvindex(split(Id,"-"),-1) | stats count by ID sourcetype | xyseries ID sourcetype count | | fillnull source1 source2 source3 value="Not exists" | table source1 source2 source3</LI-CODE><P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/176060">@msrama5</a>&nbsp;<BR />How about this?</P> Mon, 15 Jun 2020 21:28:41 GMT https://community.splunk.com/t5/Splunk-Search/Join-fields-with-partly-matching/m-p/504502#M140854 to4kawa 2020-06-15T21:28:41Z