https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/581989#M202728 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>,</P><P>use stats, something like this:</P><LI-CODE lang="markup">index=country (sourcetype=sourcetype_A OR sourcetype=sourcetype_B) | eval ID = ltrim(ID,"0") | stats count AS dc_st values(age) AS age values(city) AS city values(state) AS state values(job) As job values(salary) AS salary values(gender) AS gender By ID | where dc_st &gt;1</LI-CODE><P>if you have a multivalue field, you can expand it adding at the end:</P><LI-CODE lang="markup">| mvexpand &lt;field&gt;</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 21 Jan 2022 13:11:32 GMT gcusello 2022-01-21T13:11:32Z https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/581985#M202726 <P>I have,<BR />sourcetype_A&nbsp; (fields : ID, age, city, state)<BR />sourcetype_B&nbsp; (fields : ID, job, salary, gender)<BR /><BR />The fields "ID" is common in both sourcetype_A and B but with a caveat.<BR />example1 : for ID = 1687, it is present in sourcetype_A as 0001687 , in sourcetype_B as 1687<BR />example2 : for ID = 9843, it is present in sourcetype_A as 009843 , in sourcetype_B as 9843<BR />example3 : for ID = 8765, it is present in sourcetype_A as 08765 , in sourcetype_B as 8765<BR />where 1687, 9843, 8765 are the actual IDs. zeros are creating mess in sourcetype_A .<BR /><BR />I am not allowed to use join, So this is what I am trying but I am not seeing all my data.<BR /><BR />===================================<BR />(index=country) sourcetype=sourcetype_A OR&nbsp;sourcetype=sourcetype_B<BR />| eval ID = ltrim(ID,"0")<BR />| eventstats dc(sourcetype) as dc_st<BR />| where dc_st &gt;1<BR />| table&nbsp;ID, age, city, state,&nbsp; job, salary, gender<BR />===================================<BR /><BR />I also tried | stats values (age) as age&nbsp;<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ........<BR />&nbsp; &nbsp; &nbsp;..........................................................<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; by ID.<BR />But stats gave me massive multivalue fields with messy duplicates. I am asked to get in one row per data (no multivalues )<BR /><BR />Any help ?<BR /><BR /></P> Fri, 21 Jan 2022 11:44:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/581985#M202726 zacksoft_wf 2022-01-21T11:44:33Z https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/581989#M202728 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>,</P><P>use stats, something like this:</P><LI-CODE lang="markup">index=country (sourcetype=sourcetype_A OR sourcetype=sourcetype_B) | eval ID = ltrim(ID,"0") | stats count AS dc_st values(age) AS age values(city) AS city values(state) AS state values(job) As job values(salary) AS salary values(gender) AS gender By ID | where dc_st &gt;1</LI-CODE><P>if you have a multivalue field, you can expand it adding at the end:</P><LI-CODE lang="markup">| mvexpand &lt;field&gt;</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 21 Jan 2022 13:11:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/581989#M202728 gcusello 2022-01-21T13:11:32Z https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/582014#M202737 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237518">@zacksoft_wf</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 21 Jan 2022 15:03:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-data-from-TWO-different-sourcetypes/m-p/582014#M202737 gcusello 2022-01-21T15:03:23Z