https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289889#M165765 <P>Thanks a lot, I am getting the list, but is there any way to get the full logs because i want to check the hostname on each of the search result to check how many requests are hitting each server for the matched xCoord and yCoord as the application is deployed on 3 servers. </P> Fri, 06 Oct 2017 18:33:49 GMT manojnelakurthi 2017-10-06T18:33:49Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289887#M165763 <P>I have 2 searches <BR /> Search1:<BR /> index=i_temp source=<EM>source1</EM> <BR /> Results:<BR /> xCoord=1155276.2781774567 yCoord=1885220.7999824171<BR /> xCoord=1144751.2989115883 yCoord=1919044.2279770568</P> <P>Search2:<BR /> index=i_production source=<EM>feed</EM> <BR /> Results:<BR /> xCoord=1155276.2781774567 yCoord=1885220.799982417</P> <P>I want to compare both the search results and return the results if the string xCoord=1155276.2781774567 yCoord=1885220.7999824171 is same in both the searches. In reality the results for bot the searches are larger in number.</P> <P>Thanks</P> Fri, 06 Oct 2017 17:21:29 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289887#M165763 manojnelakurthi 2017-10-06T17:21:29Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289888#M165764 <P>Try this (gives list of xCoord and yCoord which are common in both indexes/sources)</P> <PRE><CODE>(index=i_temp source=*source1*) OR (index=i_production source=*feed* ) | stats dc(index) as indexes by xCoord yCoord | where indexes=2 </CODE></PRE> Fri, 06 Oct 2017 17:26:21 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289888#M165764 somesoni2 2017-10-06T17:26:21Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289889#M165765 <P>Thanks a lot, I am getting the list, but is there any way to get the full logs because i want to check the hostname on each of the search result to check how many requests are hitting each server for the matched xCoord and yCoord as the application is deployed on 3 servers. </P> Fri, 06 Oct 2017 18:33:49 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289889#M165765 manojnelakurthi 2017-10-06T18:33:49Z https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289890#M165766 <P>You can do something like this...</P> <PRE><CODE> (index=i_temp source=*source1*) OR (index=i_production source=*feed* ) | eval Field1=case(index=i_production,Field1) | eval TempTime=case(index=i_temp,_time) | eval ProdTime=case(index=i_production,_time) | fields xCoord yCoord ProdTime TempTime ...any other fields we want to keep... | stats values(*) as * by xCoord yCoord </CODE></PRE> <P>If you want a field with a particular name from one index, but not from the other, then you do something like the <CODE>eval Field1</CODE> line. If you need both and you need to know which is which, then use something like the <CODE>eval TempTime/prodTime</CODE> lines. </P> Fri, 06 Oct 2017 21:04:59 GMT https://community.splunk.com/t5/Splunk-Search/how-to-compare-values-from-two-different-searches-and-return-the/m-p/289890#M165766 DalJeanis 2017-10-06T21:04:59Z