https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387531#M167478 <P>you can use an inner join between source B/C and source A on field that needs to be matched.</P> Fri, 21 Sep 2018 18:41:29 GMT Vijeta 2018-09-21T18:41:29Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387530#M167477 <P>Hello, I hope someone can help.</P> <P>I am attempting to do a subsearch that I am having difficulty with and hope someone here can assist.</P> <P>I would like any fields in SourceB or SourceC that match SourceA, to be returned</P> <P>I'd previously had the following syntax:<BR /> <STRONG>SourceA | table field1 | search [ | search SourceB table field1 ] | search [ |search SourceC field1 | table src]</STRONG></P> <P>but now, I need it to be interpreded more like this:<BR /> <STRONG>SourceA field1 (SourceB field1 or SourceC field1)</STRONG></P> Fri, 21 Sep 2018 03:48:15 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387530#M167477 Task1906 2018-09-21T03:48:15Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387531#M167478 <P>you can use an inner join between source B/C and source A on field that needs to be matched.</P> Fri, 21 Sep 2018 18:41:29 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387531#M167478 Vijeta 2018-09-21T18:41:29Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387532#M167479 <P>@Task1906</P> <P>If you want to filter events from SourceA on the basis of field1 value from SourceB and SourceC then try this.</P> <P><CODE>SourceA [ search SourceB | dedup field1 | fields field1 ] OR [ search SourceC | dedup field1 | fields field1] | join field1 [ search SourceC | dedup field1 | fields field1 src ]</CODE></P> <P>Thanks</P> Sun, 23 Sep 2018 14:28:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387532#M167479 kamlesh_vaghela 2018-09-23T14:28:25Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387533#M167480 <P>kamlesh_vaghela, thanks for the input, thanks to you I have it working. But SourceA is not needed where it is. #2 SourceC is listed twice, and the 2nd time should be SourceA if it is removed from the beginning.<BR /> The working command looks like this:<BR /> <STRONG>[ search SourceB | dedup field1<BR /> | fields field1]<BR /> OR<BR /> [ search SourceB | dedup field1 | fields field1]<BR /> | join field1<BR /> [ search SourceA | dedup field1 | fields field1]<BR /> | table field1 | dedup field1</STRONG></P> Mon, 24 Sep 2018 04:29:49 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-find-matching-fields-from-2-out-of-3-sources/m-p/387533#M167480 Task1906 2018-09-24T04:29:49Z