https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562297#M195563 My bad i should have explained in detail. hostA and hostB are like datacenters and 1,2,3.... are hosts. and wanted to check side by side to those datacenters and only get the token value that matches. here is the sample log: 2021-08-05 19:01:59.677 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostA = 1 source = a.log sourcetype = a_log 2021-08-05 19:01:59.687 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostb = 6 source = a.log sourcetype = a_log if the Token matches on both hostA and hostB then only the matched are needed. Thu, 05 Aug 2021 19:10:00 GMT DougiieDee 2021-08-05T19:10:00Z https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562284#M195561 I have two different hosts . hostA-1, hostA-2, hostA-3, hostA-4, hostA-5 . hostB-5, hostB-6, hostB-7, hostB-8. I want to compare the specific value from the logs that are matched like Token which are unique but wanted to find if the value are matched between hostA and hostB and form a table based on that which will show hosts name A and B and below will be the matching token Thu, 05 Aug 2021 17:44:45 GMT https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562284#M195561 DougiieDee 2021-08-05T17:44:45Z https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562287#M195562 <P>You said two hosts but then gave 8 values, are you just interested in the first part of the name?</P><P>Can you share some sample events and show which fields are already extracted and which is these would be considered as Tokens?</P> Thu, 05 Aug 2021 18:12:08 GMT https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562287#M195562 ITWhisperer 2021-08-05T18:12:08Z https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562297#M195563 My bad i should have explained in detail. hostA and hostB are like datacenters and 1,2,3.... are hosts. and wanted to check side by side to those datacenters and only get the token value that matches. here is the sample log: 2021-08-05 19:01:59.677 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostA = 1 source = a.log sourcetype = a_log 2021-08-05 19:01:59.687 INFO RestTemplate: {"logType":"STANDARD","message":"==========================request log================================================", "Method":"POST","Headers":"{Accept=[application/json], Content-Type=[application/json], Authorization=[Bearer eyJhQM8DMG8bEtCIsiZ0GjyYWxwt3ny1Q], Token=[basd23123], "Request body": {"accountNumber":824534875389475}}} hostb = 6 source = a.log sourcetype = a_log if the Token matches on both hostA and hostB then only the matched are needed. Thu, 05 Aug 2021 19:10:00 GMT https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562297#M195563 DougiieDee 2021-08-05T19:10:00Z https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562302#M195564 <LI-CODE lang="markup">| rex "Token=\[(?&lt;token&gt;[^\]]+)\].+(?&lt;host&gt;host\w+)\s" | eventstats values(host) as hosts by token | where mvcount(hosts) = 2</LI-CODE> Thu, 05 Aug 2021 20:19:23 GMT https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562302#M195564 ITWhisperer 2021-08-05T20:19:23Z https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562320#M195566 it didnt show any events Thu, 05 Aug 2021 21:46:10 GMT https://community.splunk.com/t5/Splunk-Search/Compare-logs-between-different-host-and-match-the-value/m-p/562320#M195566 DougiieDee 2021-08-05T21:46:10Z