https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315384#M161047 <P>Try this one:</P> <P>index=* sourcetype=sourcetype1 OR sourcetype=sourcetype2<BR /> | stats dc(sourcetype as sourcetypes values(sourcetype) as sourcetype by tradeID<BR /> | search sourcetype=sourcetype1 AND sourcetypes= 2</P> Wed, 24 May 2017 09:15:02 GMT gvnd 2017-05-24T09:15:02Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315378#M161041 <P>My use case is:<BR /> There is sourcetype1, which has tradeID field; also sourcetype2, which also has tradeID field.</P> <P>I think sourcetype2 should be a subset of sourcetype1, and I want to do reconciliation.<BR /> How to write a search so that it returns all tradeID in sourcetyp1, but not in sourcetype2?</P> <P>Thanks.</P> Tue, 23 May 2017 12:59:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315378#M161041 leonjxtan 2017-05-23T12:59:02Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315379#M161042 <P>You can use a subsearch to find all tradeID in sourcetype2 and filter them from sourcetype1 -</P> <PRE><CODE>sourcetype=sourcetype1 NOT [ search sourcetype=sourcetype2 | dedup tradeID | table tradeID ] | dedup tradeID | table tradeID </CODE></PRE> Tue, 23 May 2017 13:02:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315379#M161042 dineshraj9 2017-05-23T13:02:59Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315380#M161043 <P>Thanks.</P> <P>I tried this search, but strangely 9 seconds are spent on parsing the search. Is it normal for sub-search?</P> <BLOCKQUOTE> <P>918.18 startup.handoff</P> </BLOCKQUOTE> Tue, 23 May 2017 13:22:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315380#M161043 leonjxtan 2017-05-23T13:22:07Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315381#M161044 <P>Try this:</P> <PRE><CODE>sourcetype=sourcetype1 OR sourcetype=sourcetype2 | stats count by tradeID,sourcetype | xyseries tradeID sourcetype count | fillnull sourcetype1 sourcetype 2 | search sourcetype1&gt;0 sourcetype2=0 | fields tradeID </CODE></PRE> Tue, 23 May 2017 13:42:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315381#M161044 knielsen 2017-05-23T13:42:37Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315382#M161045 <P>This approach should be faster -</P> <PRE><CODE>sourcetype=sourcetype1 OR sourcetype=sourcetype2 | eval flag=if(sourcetype=sourcetype2,1,0) | stats sum(flag) as flag by traceID | where flag=0 </CODE></PRE> Tue, 23 May 2017 13:49:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315382#M161045 dineshraj9 2017-05-23T13:49:54Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315383#M161046 <P>Like this:</P> <PRE><CODE>index=foo sourcetype=sourcetype1 OR sourcetype=sourcetype2 | eval tradeID=if((sourcetype=sourcetype1), tradeID, null()) | Your Other Stuff Here </CODE></PRE> Tue, 23 May 2017 21:51:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315383#M161046 woodcock 2017-05-23T21:51:26Z https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315384#M161047 <P>Try this one:</P> <P>index=* sourcetype=sourcetype1 OR sourcetype=sourcetype2<BR /> | stats dc(sourcetype as sourcetypes values(sourcetype) as sourcetype by tradeID<BR /> | search sourcetype=sourcetype1 AND sourcetypes= 2</P> Wed, 24 May 2017 09:15:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-reconcile-a-field-in-two-different-sourcetypes/m-p/315384#M161047 gvnd 2017-05-24T09:15:02Z