It is correct somewhat, I'm trying to 1:1 for the two specific columns. The use it just to start with the two columns matching at first, then another where they do not. Where Qui-gonn Jinn is in both Sith and Jedi indexes and listed in both columns. For some reason I thinking I might be making this more difficult than it needs to be. If the two IDs match in both columns then they are listed with the rest. Hopefully that clear is up. I am still trying to relearn the whole search in Splunk currently so I do apologize. ... View more

This was the concept: index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | where Jname=Sname | table Jname, Sname, strengths, mentor, skill, domain, mission, strength, teacher, actions And index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn") | where Jname!=Sname | table Jname, Sname, strengths, mentor, skill, domain, mission, strength, teacher, actions   I am trying to get the results where Jname=Sname are the same plus all following columns. This is for a comparison for our analysts and they want the first two columns to match plus following columns. Then a report where they are not matching. ... View more

I need to filter out the white noise. index-=sith broker sithlord!=darth_maul OR index=jedi domain="jedi.lightside.com" (master!="yoda" AND master!="mace" AND master="Jinn")   If I use the correct one, 75% of it is white noise. I need to use the above to isolate what I need specifically from the indexes. I need to show a 1:1 match plus a few other columns. I was asked to get the former but now they need more. ... View more

@bowesmanait worked now I have to figure out how to utilize my drill down to isolate the columns and index heading with my query. Either way thank you. ... View more

@bowesmanawill give it a try. Thank you. ... View more

Just the Jname and Sname need to match and all the other columns will coalesce.  Because of the sheer size of the Sname (I set it up as our windows log index)index it worries me. However if I can find a way to drill down and expedite. index IN (jedi AND sith) | table saber_color, Jname, Sname, strengths, saber_color | where Jname=Sname That is what I am trying. I'll give it a shot with your method. @bowesmana  ... View more

Thank you for the insight. The "| table  * *" were the columns that all match with variances in AD and unix. I have everything broken down specifically per each index in order to have somewhat of a uniform and sanitary environment. I am having to retake a crash course right now in splunk query. Let me try the method you prescribed and we can continue from there. I'll double check my column headers between the three indexes. I will be more precise in my explanation on my next follow up. Thank you. ..update.. index=cyber AND index=AD | table act, devtype, safe, issuer, username, purpose (for cyber) | table audit, e_user, evnt_cat, evnt_tsk, proc_name,   (for AD) index=cyber AND index=unix | table act, devtype, safe, issuer, username, purpose (for cyber) | table proc, src, user, msg (for unix) Double checked my data. AD and unix searches are never done together, always cyber and one or the other. ... View more