https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144777#M40312 <P>source="logFILE"| rex field=_raw "(?i) Number: (?P<SERIAL_NUM_CD>[^ ]+)"|join SERIAL_NUM_CD[search source="IndexeddbDATA"]<BR /> I tried the above query its working, but other non matching fields are also displayed.</SERIAL_NUM_CD></P> Mon, 28 Sep 2020 16:29:29 GMT harshavrath 2020-09-28T16:29:29Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144775#M40310 <P>Hi,</P> <P>I have indexed few records from my DB into Splunk &amp; an log file is also indexed into Splunk. There is one matching Field in both the indexed sources i.e, Serial Number.</P> <P>My question is how can i output only the matching Events with the same Serial Number using Splunk Search. </P> <P>Any Help is Appreciated, </P> <P>Thanks.</P> Mon, 28 Apr 2014 13:29:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144775#M40310 harshavrath 2014-04-28T13:29:33Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144776#M40311 <P>Here's one way:</P> <PRE><CODE>&lt;DB search&gt; | join SerialNumber [&lt;log file search&gt;] | ... </CODE></PRE> Mon, 28 Apr 2014 14:28:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144776#M40311 richgalloway 2014-04-28T14:28:26Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144777#M40312 <P>source="logFILE"| rex field=_raw "(?i) Number: (?P<SERIAL_NUM_CD>[^ ]+)"|join SERIAL_NUM_CD[search source="IndexeddbDATA"]<BR /> I tried the above query its working, but other non matching fields are also displayed.</SERIAL_NUM_CD></P> Mon, 28 Sep 2020 16:29:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144777#M40312 harshavrath 2020-09-28T16:29:29Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144778#M40313 <P>The case of field extracted and field used for join is different. Splunk is case sensitive in field names (always). ALso, check if you have field SERIAL_NUM_CD in the source IndexeddbDATA with same case.</P> Mon, 28 Sep 2020 16:29:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144778#M40313 somesoni2 2020-09-28T16:29:31Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144779#M40314 <P>in query its Caps only, after i commented it was automatically converted into lower case.</P> Tue, 29 Apr 2014 14:14:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144779#M40314 harshavrath 2014-04-29T14:14:45Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144780#M40315 <P>It would be helpful to see some sample events from each source.</P> Tue, 29 Apr 2014 14:17:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144780#M40315 richgalloway 2014-04-29T14:17:37Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144781#M40316 <P>The query that I used is</P> <P>source="Logfile.log" | rex field=_raw "(?i) Number: (?P<SERIAL_NUM_CD>[^ ]+)" | search SERIAL_NUM_CD="*" | join SERIAL_NUM_CD[search source="IndexeddbDATA"]</SERIAL_NUM_CD></P> <P>I’m able to get the matching fields as output from the Log file but my requirement is I want the matching fields from both the log as well as DB to be displayed.</P> Mon, 28 Sep 2020 16:31:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144781#M40316 harshavrath 2020-09-28T16:31:19Z https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144782#M40317 <P>You showed your query previously. Now we need to see sample events.</P> Fri, 02 May 2014 11:44:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-output-matching-fields/m-p/144782#M40317 richgalloway 2014-05-02T11:44:09Z