https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593412#M206542 <P>Hi&nbsp;<SPAN>Giuseppe, Thank you for responding.&nbsp;</SPAN><BR />Verified there are no blank spaces.&nbsp; &nbsp;Even if there were null values for some user records,&nbsp; &nbsp;the other query i tried that has |where clause ,&nbsp; as in&nbsp;<STRONG>|where email = user_email</STRONG>&nbsp;, should work or show some matches&nbsp; &nbsp;but even that one shows&nbsp; "No results found".<BR /><BR />Out of curiosity even if i run just this one liner as shown below ,&nbsp; it displays&nbsp; fields (under Interesting Fields) only from 1st sourcetype s1.&nbsp; Nothing from S2 is visible.&nbsp; I guess that's why both coalesce and |where clause are not working for me.&nbsp;<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">index=xx (sourcetype=s1 OR sourcetype=s2 )</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Apr 2022 07:50:17 GMT neerajs_81 2022-04-12T07:50:17Z https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593406#M206538 <P>Hi All,&nbsp;&nbsp;</P><P>I have two sourcetypes in the same index, however the fields names are different but the value is same for the Email address of a user .&nbsp; &nbsp;But yet when i do a coalesce or use |where clause,&nbsp; splunk shows "No results found"<BR />&nbsp;For example:<BR />Sourcetype s1 contains email field while s2 contains user_email field.<BR />Both fields have same value:&nbsp; john_smith@domain.com</P><P>&nbsp;</P><LI-CODE lang="markup">index=xx (sourcetype=s1 OR sourcetype=s2) (email=* OR user_email=*) | eval user_id = coalesce(email, user_email) OR | index=xx (sourcetype=s1 OR sourcetype=s2) | where email=user_email</LI-CODE><P>&nbsp;</P><P><BR />Result:&nbsp; No results found.<BR /><BR />I am following whatever is&nbsp; mentioned in&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/merge-two-sourcetypes-that-have-the-same-data-but-different/m-p/493244," target="_blank" rel="noopener">https://community.splunk.com/t5/Splunk-Search/merge-two-sourcetypes-that-have-the-same-data-but-different/m-p/493244,</A>&nbsp; but yet in my case it shows 0 Result matches.<BR /><BR />Any idea what can be the issue ?&nbsp; Is the&nbsp;@ sign or "." (dot) in the email id creating a problem ?<BR /><BR /></P> Tue, 12 Apr 2022 07:14:56 GMT https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593406#M206538 neerajs_81 2022-04-12T07:14:56Z https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593407#M206539 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>at first check if there something else in your fields (e.g. spaces).</P><P>Then try this:</P><LI-CODE lang="markup">index=xx ((sourcetype=s1 email=*) OR (sourcetype=s2 user_email=*)) | eval user_id=coalesce(email,user_email)</LI-CODE><P>In addition, put speciat attention if the email field cound have null values, becuase in this case the coalesce doesn't work.</P><P>In this case, try something like this:</P><LI-CODE lang="markup">index=xx ((sourcetype=s1 email=*) OR (sourcetype=s2 user_email=*)) | eval user_id=if(email="",user_email,email)</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 12 Apr 2022 07:18:18 GMT https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593407#M206539 gcusello 2022-04-12T07:18:18Z https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593412#M206542 <P>Hi&nbsp;<SPAN>Giuseppe, Thank you for responding.&nbsp;</SPAN><BR />Verified there are no blank spaces.&nbsp; &nbsp;Even if there were null values for some user records,&nbsp; &nbsp;the other query i tried that has |where clause ,&nbsp; as in&nbsp;<STRONG>|where email = user_email</STRONG>&nbsp;, should work or show some matches&nbsp; &nbsp;but even that one shows&nbsp; "No results found".<BR /><BR />Out of curiosity even if i run just this one liner as shown below ,&nbsp; it displays&nbsp; fields (under Interesting Fields) only from 1st sourcetype s1.&nbsp; Nothing from S2 is visible.&nbsp; I guess that's why both coalesce and |where clause are not working for me.&nbsp;<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">index=xx (sourcetype=s1 OR sourcetype=s2 )</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Apr 2022 07:50:17 GMT https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593412#M206542 neerajs_81 2022-04-12T07:50:17Z https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593414#M206543 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>I don't think that this is the issue.</P><P>please try to extract the second file (user_email) using the rex command, maybe there's a problem in field extraction.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 12 Apr 2022 08:02:10 GMT https://community.splunk.com/t5/Splunk-Search/Merging-data-from-2-different-sourcetypes/m-p/593414#M206543 gcusello 2022-04-12T08:02:10Z