https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246032#M189070 <P>I want join/combine two searches by their common value to compare transaction success/failure rate at both places. i tried something below, but unable to search by evaluated result</P> <P><STRONG>Step1</STRONG>: Extract substring from second log as this value exactly doesn't match within first log.</P> <P>index=indexoffirstlog sourcetype="<EM>secondlog</EM>" eval length=len(fieldinterestedin) | eval transaction_id=substr(fieldinterestedin, 6, length)</P> <P><STRONG>Step2:</STRONG> Search results within first log where result contain transaction_id (Not Joined yet, just checking first log query alone)</P> <P>index=indexoffsfirstlog sourcetype="<EM>firstlog</EM>" matchstringoffirstlog</P> <P><STRONG>Step3:</STRONG> Now join both searches and search by transaction_id</P> <P>index=indexoffirstlog AND index=indexofsecondlog sourcetype="<EM>secondlog</EM>" matchstringoffirstlog | eval length=len(fieldinterestedin) | eval result=substr(fieldinterestedin, 6, length) | search result</P> <P>But i am not getting any results. appreciate any advice.</P> Fri, 11 Mar 2016 13:53:40 GMT akonduru 2016-03-11T13:53:40Z https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246032#M189070 <P>I want join/combine two searches by their common value to compare transaction success/failure rate at both places. i tried something below, but unable to search by evaluated result</P> <P><STRONG>Step1</STRONG>: Extract substring from second log as this value exactly doesn't match within first log.</P> <P>index=indexoffirstlog sourcetype="<EM>secondlog</EM>" eval length=len(fieldinterestedin) | eval transaction_id=substr(fieldinterestedin, 6, length)</P> <P><STRONG>Step2:</STRONG> Search results within first log where result contain transaction_id (Not Joined yet, just checking first log query alone)</P> <P>index=indexoffsfirstlog sourcetype="<EM>firstlog</EM>" matchstringoffirstlog</P> <P><STRONG>Step3:</STRONG> Now join both searches and search by transaction_id</P> <P>index=indexoffirstlog AND index=indexofsecondlog sourcetype="<EM>secondlog</EM>" matchstringoffirstlog | eval length=len(fieldinterestedin) | eval result=substr(fieldinterestedin, 6, length) | search result</P> <P>But i am not getting any results. appreciate any advice.</P> Fri, 11 Mar 2016 13:53:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246032#M189070 akonduru 2016-03-11T13:53:40Z https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246033#M189071 <P>Is the length of fieldinterestedin constant?</P> Fri, 11 Mar 2016 17:41:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246033#M189071 somesoni2 2016-03-11T17:41:52Z https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246034#M189072 <P>No, It is not same. length varies. But fieldinterestedin always start wit constant like "ABCD23423fsdfsd" where ABCD is constant.</P> Fri, 11 Mar 2016 20:29:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246034#M189072 akonduru 2016-03-11T20:29:56Z https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246035#M189073 <P>Final doubt, if you remove the constant part in the fieldinterestedin field from search 2, would it match exactly with fieldinterestedin in search 1?</P> Fri, 11 Mar 2016 20:37:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246035#M189073 somesoni2 2016-03-11T20:37:50Z https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246036#M189074 <P>yes, it match except the constant part which is why i am doing substring to take off Constant part.</P> Fri, 11 Mar 2016 23:39:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246036#M189074 akonduru 2016-03-11T23:39:32Z https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246037#M189075 <P>Change your <CODE>AND</CODE> to <CODE>OR</CODE>!</P> Sat, 12 Mar 2016 00:02:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-by-variable-created-within-a-join-query/m-p/246037#M189075 woodcock 2016-03-12T00:02:09Z