https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313261#M93772 <P>I have two sourcetypes. In both, there is a field present that has the same value in both but just another name, let's say Field1 en Field1a<BR /> Normally each value is present in both. This can be more than once but then also in both. Sometimes the value is only present in 1 of the sourcetypes. I want to determine when this happens. I thought it would be easy by just counting the number of each value in both sources and when the two counts are different I would know. But somehow I am not able to do a count of them both, someone ideas?</P> Wed, 04 Apr 2018 14:30:20 GMT Mike6960 2018-04-04T14:30:20Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313261#M93772 <P>I have two sourcetypes. In both, there is a field present that has the same value in both but just another name, let's say Field1 en Field1a<BR /> Normally each value is present in both. This can be more than once but then also in both. Sometimes the value is only present in 1 of the sourcetypes. I want to determine when this happens. I thought it would be easy by just counting the number of each value in both sources and when the two counts are different I would know. But somehow I am not able to do a count of them both, someone ideas?</P> Wed, 04 Apr 2018 14:30:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313261#M93772 Mike6960 2018-04-04T14:30:20Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313262#M93773 <P>Does something like this help?</P> <PRE><CODE>index=blah sourcetype=sourcetypeA OR sourcetype=sourcetypeB | stats count(my_field) as count by sourcetype </CODE></PRE> Thu, 05 Apr 2018 00:18:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313262#M93773 davpx 2018-04-05T00:18:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313263#M93774 <P>Thanks, but the 'my field' has a different name in both sourcetypes so I can't count by just one field</P> Thu, 05 Apr 2018 06:19:48 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313263#M93774 Mike6960 2018-04-05T06:19:48Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313264#M93775 <P>@Mike6960, you would need to create a <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addaliasestofields">Field Alias Knowledge Object</A> for one of the sourcetype to make both the fields names as same lets say Field1.</P> <P>If you are creating a Field Alias For <CODE>sourcetype B</CODE> will have effect similar to following command <CODE>eval Field1=Field1a</CODE><BR /> If you want to do something similar in your Splunk Query you can try the following:</P> <PRE><CODE>index=blah sourcetype=sourcetypeA OR sourcetype=sourcetypeB | rename Field1a as Field1 | stats count by sourcetype Field1 </CODE></PRE> Thu, 05 Apr 2018 06:30:51 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313264#M93775 niketn 2018-04-05T06:30:51Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313265#M93776 <P>Hi @niketnilay,<BR /> I've created a fieldalias and I use chart count by sourcetype 'and' Field1. I almost have the result I want. The result is now a table which shows which shows the Field1 and how many times its exists in each sourcetype. Now I want to see only the results where the counts are not equal....? </P> Thu, 05 Apr 2018 06:46:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313265#M93776 Mike6960 2018-04-05T06:46:55Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313266#M93777 <P>Instead of stats use chart,</P> <PRE><CODE> &lt;YourBaseSearch&gt; | chart count by Field1 sourcetype | search sourcetypeA!=sourcetypeB </CODE></PRE> <P>Or </P> <PRE><CODE> &lt;YourBaseSearch&gt; | chart count over Field1 by sourcetype | search sourcetypeA!=sourcetypeB </CODE></PRE> Thu, 05 Apr 2018 08:22:08 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313266#M93777 niketn 2018-04-05T08:22:08Z https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313267#M93778 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201110">@niketn</a> , I produced this :<BR /> Fieldalias for B_C and B_X is B_C_X</P> <P>| eval B_C_X =ltrim(tostring(B_C_X ),"0")<BR /> | chart count(B_C) as T count(B_X) as T2 by B_C_X<BR /><BR /> | where T!= T2 <BR /> | fillnull</P> <P>if I use 'search' instead of 'where' I still get mutiple rows with all the results. Now I only need to figure out how to show the sourcetype in the result</P> Tue, 29 Sep 2020 18:52:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-count-same-field-from-different-sourcetypes/m-p/313267#M93778 Mike6960 2020-09-29T18:52:44Z