https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586312#M204252 <P>Give this a try</P><LI-CODE lang="markup">index=A sourcetype=B "ERROR_A" OR "ERROR_B" | rex field=_raw "loginid (?&lt;login_id&gt;\d+) ::" | eval Error=if(searchmatch("ERROR_A"), "ERROR_A" ,"ERROR_B" ) | stats dc(Error) as Errors by loginid | where Errors=2 | tableloginid</LI-CODE> Wed, 23 Feb 2022 20:43:01 GMT somesoni2 2022-02-23T20:43:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586285#M204238 <P>I have two queries:&nbsp;</P><P>1. index=A sourcetype=B&nbsp; "ERROR_A" | rex field=_raw "loginid (?&lt;login_id&gt;\d+) ::" | deduploginid | tableloginid</P><P>o/p eg::</P><P>123</P><P>456</P><P>789</P><P>&nbsp;</P><P>2. index=A sourcetype=B&nbsp; "ERROR_B" | rex field=_raw "loginid (?&lt;login_id&gt;\d+) ::" | dedup loginid | table loginid</P><P>o/p eg::</P><P>878</P><P>123</P><P>456</P><P>Query 1 finds all the login ID which failed because of ERROR_A and Query 2 finds all the login ID which failed because of ERROR_B. I want to find all the loginId which failed because of both ERROR_A and ERROR_B.SO expected result from above is</P><P>123</P><P>456</P><P>How can I combine both these queries given the the loginid is a extract field from raw logs.?</P> Wed, 23 Feb 2022 17:24:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586285#M204238 user9025 2022-02-23T17:24:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586292#M204239 <LI-CODE lang="markup">index=A sourcetype=B "ERROR_A" OR "ERROR_B" | rex "(?&lt;errortype&gt;ERROR_A|ERROR_B)" | rex field=_raw "loginid (?&lt;login_id&gt;\d+) ::" | stats count by login_id errortype | stats count by login_id | where count = 2</LI-CODE> Wed, 23 Feb 2022 18:00:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586292#M204239 ITWhisperer 2022-02-23T18:00:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586312#M204252 <P>Give this a try</P><LI-CODE lang="markup">index=A sourcetype=B "ERROR_A" OR "ERROR_B" | rex field=_raw "loginid (?&lt;login_id&gt;\d+) ::" | eval Error=if(searchmatch("ERROR_A"), "ERROR_A" ,"ERROR_B" ) | stats dc(Error) as Errors by loginid | where Errors=2 | tableloginid</LI-CODE> Wed, 23 Feb 2022 20:43:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586312#M204252 somesoni2 2022-02-23T20:43:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586357#M204267 <P>I will try and update. May I know that in the expression :&nbsp;</P><LI-CODE lang="markup">| eval Error=if(searchmatch("ERROR_A"), "ERROR_A" ,"ERROR_B" )</LI-CODE><P>&nbsp;</P><P>Why have we put only ERROR_A in searchmatch clause ?</P> Thu, 24 Feb 2022 05:59:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586357#M204267 user9025 2022-02-24T05:59:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586358#M204268 <P>Testing.Will update once i ran this.</P> Thu, 24 Feb 2022 05:59:21 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-common-values-in-result-of-two-queries-on-same/m-p/586358#M204268 user9025 2022-02-24T05:59:21Z