https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421361#M191040 <P>I still required a field/column within my table stating Match or No Match. In order to accomplish this, I ended up creating a lookup file </P> <P>lookup ProofOfConcept.CSV KEYFIELD as KEYFIELD OUTPUTNEW KEYFIELD as KEYFIELD2<BR /> | eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match") </P> <P>When run over the last 24hrs I had both matches and no matches populate, which was to be expected. </P> Fri, 02 Aug 2019 21:09:22 GMT cquinney 2019-08-02T21:09:22Z https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421358#M191037 <P>I'm having an issue with matching results between two searches utilizing the append command. I realize I could use the join command but my goal is to create a new field labeled Match.</P> <PRE><CODE>index=type1 EVENT_TYPE=Blah1 KEYFIELD=* | append [search index=type2 EVENT_TYPE=Blah2 | eval KEYFIELD2=field1.field2.field3.field4 | fields KEYFIELD2] | eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match") | eval results2=if(match(KEYFIELD ,KEYFIELD2),"Match","No Match") | eval results3=if(like(KEYFIELD ,"%".KEYFIELD2."%"), "Match","No Match") </CODE></PRE> <P>Even though I know there are "matches", my results only come back as No Match.<BR /> Any assistance on this would be greatly appreciated.</P> Thu, 01 Aug 2019 18:20:42 GMT https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421358#M191037 cquinney 2019-08-01T18:20:42Z https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421359#M191038 <P>You are appending records, which doesn't put them side-by-side. So you will never have a record that has both KEYFIELD and KEYFIELD2 to compare to each other. You will need to use a stats command that correlates the two datasets. What happens if you try this?</P> <PRE><CODE>index=type1 EVENT_TYPE=Blah1 KEYFIELD=* | append [search index=type2 EVENT_TYPE=Blah2 | eval KEYFIELD=field1.field2.field3.field4 | fields KEYFIELD, index] | stats dc(index) as index_count by KEYFIELD | sort -index_count </CODE></PRE> <P>There should be some values of KEYFIELD that have an index_count of 2 if there are matches. To filter them, add <CODE>|search index_count &gt; 1</CODE> to the search.</P> Wed, 30 Sep 2020 01:34:39 GMT https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421359#M191038 grittonc 2020-09-30T01:34:39Z https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421360#M191039 <P>Like this:</P> <PRE><CODE>(index=type1 EVENT_TYPE=Blah1 KEYFIELD=*) OR (index=type2 EVENT_TYPE=Blah2) | eval KEYFIELD=coalesce(KEYFIELD, field1.field2.field3.field4) | stats values(*) AS * dc(index) AS index_count BY KEYFIELD </CODE></PRE> <P>Then add some combination of logic using <CODE>index=... AND/OR index_count=</CODE></P> Fri, 02 Aug 2019 03:51:25 GMT https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421360#M191039 woodcock 2019-08-02T03:51:25Z https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421361#M191040 <P>I still required a field/column within my table stating Match or No Match. In order to accomplish this, I ended up creating a lookup file </P> <P>lookup ProofOfConcept.CSV KEYFIELD as KEYFIELD OUTPUTNEW KEYFIELD as KEYFIELD2<BR /> | eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match") </P> <P>When run over the last 24hrs I had both matches and no matches populate, which was to be expected. </P> Fri, 02 Aug 2019 21:09:22 GMT https://community.splunk.com/t5/Splunk-Search/Matching-values-from-a-subsearch-using-append/m-p/421361#M191040 cquinney 2019-08-02T21:09:22Z