https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482256#M193203 <P>Getting close answer like one below after couple changes, need 2 more changes<BR /> 1)Want to break down results correlation id by correlation id and display all 4 sourcetypes for each corr-id<BR /> 2)display null values for source types where corr-id don't exists<BR /> Actual -<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_HUB 1<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_RISK 1<BR /> 116f755f-2c67-4604-b98a-90ed0bb43f74 API_RISK 1<BR /> 11f7a987-e7a8-4ba3-9445-8ad92f4ecc05 API_PAY 1<BR /> 11f7a987-e7a8-4ba3-9445-8ad92f4ecc05 API_RISK 1</P> <P>Expected-<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_HUB 1<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_RISK 1<BR /> NULL API_PAY<BR /><BR /> NULL API_PAY1</P> <P>116f755f-2c67-4604-b98a-90ed0bb43f74 API_RISK 1<BR /> NULL API_RISK 1<BR /> NULL API_PAY<BR /><BR /> NULL API_PAY1</P> <P>Modified new query is below, can this be modified to get expected results above ?<BR /> sourcetype=API_HUB OR sourcetype=API_RISK OR sourcetype=API_PAY OR sourcetype=API_PAY2<BR /> | stats values(CorrelationId) as CorrelationId by sourcetype<BR /> |append [|makeresults <BR /> |eval sourcetype=split("API_HUB,API_RISK,API_PAY ,API_PAY2" ,",")<BR /> | mvexpand sourcetype<BR /> | fields sourcetype]<BR /> | stats count by CorrelationId,sourcetype<BR /> | fillnull value="Not exists" CorrelationId | sort (CorrelationId)</P> Wed, 30 Sep 2020 05:05:17 GMT msrama5 2020-09-30T05:05:17Z https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482252#M193199 <P>Hello, I have query which joins across 4 sources and correlationid may or may not exists across all sources, I want to print the id and exists or not exists on each source, wrote the query below and actual results only shows one source where value is present and does not show other 3 sources, any ideas how can this query be modified to show expected results ? <BR /> Query -<BR /> sourcetype=API_HUB OR sourcetype=API_RISK OR sourcetype=API_SECURE OR sourcetype=API_PAYMENT<BR /> | eval CorrelationId = coalesce(CorrelationId,"Not exists") <BR /> | table sourcetype,CorrelationId | dedup CorrelationId,sourcetype | sort(sourcetype,CorrelationId)</P> <P>Actual results<BR /> sourcetype CorrelationId<BR /> API_RISK 123456-34344-55555</P> <P>Expected results<BR /> sourcetype CorrelationId<BR /> API_RISK 123456-34344-55555<BR /> API_PAYMENT Not exists<BR /> API_SECURE Not exists<BR /> API_HUB Not exists</P> Wed, 30 Sep 2020 05:07:44 GMT https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482252#M193199 msrama5 2020-09-30T05:07:44Z https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482253#M193200 <P>@msrama5 ,<BR /> Do you have events for other sourcetypes?<BR /><BR /> Try below search for the same time window. </P> <PRE><CODE>sourcetype=API_HUB OR sourcetype=API_RISK OR sourcetype=API_SECURE OR sourcetype=API_PAYMENT|stats count by sourcetype </CODE></PRE> Thu, 23 Apr 2020 03:44:49 GMT https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482253#M193200 renjith_nair 2020-04-23T03:44:49Z https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482254#M193201 <P>I wrote the query using map for find correlation id in first query and substitute one by one in second query to return results for each id as below, this query is not working, wanting to get corrid and substitute in second query as is, any ideas what is wrong with query below ? no results are returned for query below<BR /> sourcetype=OPENAPI_HUB | stats count by CorrelationId | <BR /> map search="search "$CorrelationId$" sourcetype=OPENAPI_HUB OR sourcetype=OPEN_ASSESSMENT OR sourcetype=OPEN_TEST OR sourcetype=OPENAPI_DEV | eval CorrelationId = coalesce(CorrelationId,"Not exists") | stats count by CorrelationId,sourcetype | sort(CorrelationId,sourcetype)"</P> Wed, 30 Sep 2020 05:04:53 GMT https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482254#M193201 msrama5 2020-09-30T05:04:53Z https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482255#M193202 <PRE><CODE>sourcetype=API_HUB OR sourcetype=API_RISK OR sourcetype=API_SECURE OR sourcetype=API_PAYMENT | stats values(CorrelationId) as CorrelationId by sourcetype |append [|makeresults |eval sourcetype=split("API_HUB,API_RISK,API_SECURE,API_PAYMENT" ,",") | mvexpand sourcetype | fields sourcetype] | stats values(CorrelationId) as CorrelationId by sourcetype | fillnull value="Not exists" CorrelationId </CODE></PRE> <P>Splunk can't search nothing.</P> Thu, 23 Apr 2020 10:07:19 GMT https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482255#M193202 to4kawa 2020-04-23T10:07:19Z https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482256#M193203 <P>Getting close answer like one below after couple changes, need 2 more changes<BR /> 1)Want to break down results correlation id by correlation id and display all 4 sourcetypes for each corr-id<BR /> 2)display null values for source types where corr-id don't exists<BR /> Actual -<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_HUB 1<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_RISK 1<BR /> 116f755f-2c67-4604-b98a-90ed0bb43f74 API_RISK 1<BR /> 11f7a987-e7a8-4ba3-9445-8ad92f4ecc05 API_PAY 1<BR /> 11f7a987-e7a8-4ba3-9445-8ad92f4ecc05 API_RISK 1</P> <P>Expected-<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_HUB 1<BR /> 1129213a-6d34-46e3-a7d7-2e2fcc552045 API_RISK 1<BR /> NULL API_PAY<BR /><BR /> NULL API_PAY1</P> <P>116f755f-2c67-4604-b98a-90ed0bb43f74 API_RISK 1<BR /> NULL API_RISK 1<BR /> NULL API_PAY<BR /><BR /> NULL API_PAY1</P> <P>Modified new query is below, can this be modified to get expected results above ?<BR /> sourcetype=API_HUB OR sourcetype=API_RISK OR sourcetype=API_PAY OR sourcetype=API_PAY2<BR /> | stats values(CorrelationId) as CorrelationId by sourcetype<BR /> |append [|makeresults <BR /> |eval sourcetype=split("API_HUB,API_RISK,API_PAY ,API_PAY2" ,",")<BR /> | mvexpand sourcetype<BR /> | fields sourcetype]<BR /> | stats count by CorrelationId,sourcetype<BR /> | fillnull value="Not exists" CorrelationId | sort (CorrelationId)</P> Wed, 30 Sep 2020 05:05:17 GMT https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482256#M193203 msrama5 2020-09-30T05:05:17Z https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482257#M193204 <P>sorry. I don't know your log. and your query is changed from question. so I can't make it.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8757i302200AB756B4836/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>maybe, this result will be wrong.</P> Fri, 24 Apr 2020 00:36:49 GMT https://community.splunk.com/t5/Splunk-Search/Join-across-multiple-sources-display-all-sources-with-values/m-p/482257#M193204 to4kawa 2020-04-24T00:36:49Z