https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298335#M89962 <P>I would do like this (gives list of common ContextId values between two data sources of yours)</P> <PRE><CODE>(index=mapps sourcetype=iis host=*) OR (index=gateways source=http:ClientLoggingProd message.application="samrts") earliest=-1h@m | eval ContextId=coalesce('message.sourceSession',ContextId) | stats count by ContextId | table ContextId </CODE></PRE> Thu, 05 Oct 2017 18:33:48 GMT somesoni2 2017-10-05T18:33:48Z https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298334#M89961 <P>in my search contcxtid and sourceSession has the same vales but indexing in to different places how could i compare the 2 field values and want to display the command filed values</P> <PRE><CODE>index=mapps sourcetype=iis host=* earliest=-1h@m|dedup ContextId |table ContextId |join type=inner ContextId [search index=gateways source=http:ClientLoggingProd message.application="samrts" earliest=-1h@m | dedup "message.sourceSession" |rename message.sourceSession as sourceSession] |eval nodiff=if(match(sourceSession,ContextId),"ContextId",NULL) </CODE></PRE> Thu, 05 Oct 2017 17:42:14 GMT https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298334#M89961 svemurilv 2017-10-05T17:42:14Z https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298335#M89962 <P>I would do like this (gives list of common ContextId values between two data sources of yours)</P> <PRE><CODE>(index=mapps sourcetype=iis host=*) OR (index=gateways source=http:ClientLoggingProd message.application="samrts") earliest=-1h@m | eval ContextId=coalesce('message.sourceSession',ContextId) | stats count by ContextId | table ContextId </CODE></PRE> Thu, 05 Oct 2017 18:33:48 GMT https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298335#M89962 somesoni2 2017-10-05T18:33:48Z https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298336#M89963 <P>Assumptions: you want the last record from each message.sourceSession from index=gateways, that has a ContextId in index mapps for the same time frame.</P> <P>It is important to note that you aren't using any information from the <CODE>mapps</CODE> index other than the presence of a record, so getting the latest is not needed - if any record exists in index <CODE>mapps</CODE> for a <CODE>ContextId</CODE>, then you want the corresponding latest record from the other index.</P> <P>Try this...</P> <PRE><CODE>earliest=-1h@m (index=mapps sourcetype=iis host=* ) OR (index=gateways source=http:ClientLoggingProd message.application="samrts" ) | rename message.sourceSession as sourceSession | fields index ContextId sourceSession (and whatever else you need) | eventstats max(eval(case(index="mapps",1))) as mappfound by ContextId | where mappfound=1 and index="gateways" | dedup sourceSession </CODE></PRE> Thu, 05 Oct 2017 20:18:45 GMT https://community.splunk.com/t5/Splunk-Search/join-and-compare-the-values-in-2-different-field-which-values/m-p/298336#M89963 DalJeanis 2017-10-05T20:18:45Z