https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638563#M221276 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254020">@RanjiRaje</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 04 Apr 2023 06:36:02 GMT gcusello 2023-04-04T06:36:02Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638421#M221262 <P>Hi, I need your suggestion here. Please guide me</P> <P>I have a lookup file with list of hosts. I need to compare it with splunk data and populate the matching count.</P> <P>Query:&nbsp;</P> <LI-CODE lang="markup">index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB) | fields device.hostname,event.HostName | rename device.hostname as hostfield, event.HostName as hostfield | lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform | fields hostfield,Platform | stats dc(hostfield) as "totalcount" by Platform</LI-CODE> <P><BR /><BR />I have 2 different sourcetype under the same index. <STRONG>sourceA</STRONG> has a field "<STRONG>device.hostname</STRONG>" and <STRONG>sourceB</STRONG> has a fields "<STRONG>event.HostName</STRONG>".</P> <P>[&nbsp; lookup file --&gt;&nbsp;hostfield: AA,BB,CC</P> <P>sourceA,device.hostname --&gt; <STRONG>AA</STRONG>,XX,YY</P> <P>sourceB,event.HostName --&gt; <STRONG>CC</STRONG>,PP,KK</P> <P>my output count should be 2&nbsp; &nbsp; ]</P> <P>If any of these 2 fields value is matching with the lookup hostname, then it should be considered.<BR />I tried rename command. Please provide your inputs..</P> Tue, 04 Apr 2023 16:43:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638421#M221262 RanjiRaje 2023-04-04T16:43:15Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638422#M221263 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254020">@RanjiRaje</a>,</P><P>instead rename, you could use eval coalesce to have one field called hostname:</P><LI-CODE lang="markup">index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB) | eval hostfield=coalesce(device.hostname,event.HostName) | lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform | stats dc(hostfield) AS "totalcount" BY Platform</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 03 Apr 2023 16:00:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638422#M221263 gcusello 2023-04-03T16:00:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638423#M221264 <P>Hi Sir,</P><P>I tried with eval - coalesce command too. But it didnt give the output.</P> Mon, 03 Apr 2023 16:04:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638423#M221264 RanjiRaje 2023-04-03T16:04:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638424#M221265 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254020">@RanjiRaje</a>,</P><P>pease try this:</P><LI-CODE lang="markup">index=idxname (sourcetype=sourceA desc=windows) OR (sourcetype=sourceB) | rename device.hostname AS hostname event.HostName AS HostName | eval hostfield=coalesce(hostname,HostName) | lookup lookupfilename fieldname as hostfield OUTPUTNEW Platform | stats dc(hostfield) AS "totalcount" BY Platform</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 03 Apr 2023 16:10:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638424#M221265 gcusello 2023-04-03T16:10:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638426#M221266 <P>Thanks sir for a quick response. renamed and tried using coalesce. It worked !!!!</P> Mon, 03 Apr 2023 17:03:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638426#M221266 RanjiRaje 2023-04-03T17:03:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638563#M221276 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254020">@RanjiRaje</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 04 Apr 2023 06:36:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-write-this-search-to-find-these-2-fields-with-the/m-p/638563#M221276 gcusello 2023-04-04T06:36:02Z