Splunk Search

join and compare the values in 2 different field which values are same from different

Path Finder

in my search contcxtid and sourceSession has the same vales but indexing in to different places how could i compare the 2 field values and want to display the command filed values

index=mapps sourcetype=iis  host=* earliest=-1h@m|dedup ContextId |table ContextId |join type=inner ContextId [search index=gateways  source=http:ClientLoggingProd message.application="samrts" earliest=-1h@m | dedup "message.sourceSession" |rename message.sourceSession as sourceSession] |eval nodiff=if(match(sourceSession,ContextId),"ContextId",NULL) 
Assumptions: you want the last record from each message.sourceSession from index=gateways, that has a ContextId in index mapps for the same time frame.

It is important to note that you aren't using any information from the mapps index other than the presence of a record, so getting the latest is not needed - if any record exists in index mapps for a ContextId, then you want the corresponding latest record from the other index.

Try this...

(index=mapps sourcetype=iis  host=* ) OR (index=gateways source=http:ClientLoggingProd message.application="samrts" )
| rename message.sourceSession as sourceSession
| fields index ContextId sourceSession (and whatever else you need) 
| eventstats max(eval(case(index="mapps",1))) as mappfound by ContextId
| where mappfound=1 and index="gateways"
| dedup sourceSession
Revered Legend

I would do like this (gives list of common ContextId values between two data sources of yours)

(index=mapps sourcetype=iis  host=*) OR (index=gateways  source=http:ClientLoggingProd message.application="samrts") earliest=-1h@m | eval ContextId=coalesce('message.sourceSession',ContextId) | stats count by ContextId | table ContextId
