That works great!  Just what I was looking for. Thanks much for your support, bowesmana! ... View more

Ugh....sorry.  I modified data in the examples as I was typing my last response, and didn't update each "table" as needed.  Here are correct values.  Sorry for the confusion!  I didn't see an option to edit or delete my last response. Sourcetype=autos VIN MAKE MODEL 1234ABCD FORD GT ABCD1234 DODGE VIPER 1A2B3C4D CHEVROLET CORVETTE A1B2C3D4 AUDI     Sourcetype=cars SN MANUFACTURER PRODUCT 1234ABCD FORD GT ABCD1234 DODGE CARAVAN 1A2B3C4D CHEVY CORVETTE A1B2C3D4   A8   I'd like to compare the two sourcetypes and see the results where VIN=SN, but MAKE!=MANUFACTURER OR MODEL!=PRODUCT. (Caveat - if any events in either sourcetype contain a null value, they can be ignored/excluded by the search.) From the example data above, ideally the search would display the following fields, and results would contain these two events (because VIN and SN match, but "VIPER" does not equal "CARAVAN", and "CHEVROLET" does not equal "CHEVY").   VIN MAKE MODEL SN MANUFACTURER PRODUCT ABCD1234 DODGE VIPER ABCD1234 DODGE CARAVAN 1A2B3C4D CHEVROLET CORVETTE 1A2B3C4D CHEVY CORVETTE   Sorry again for the confusion. ... View more

Thanks for the response, Bowesmana.  Understood. Here are sourcetypes and field data examples. Sourcetype=autos VIN MAKE MODEL 1234ABCD FORD GT 1A2B3C4D CHEVROLET CORVETTE ABCD1234 DODGE VIPER A12B3C4D AUDI     Sourcetype=cars SN MANUFACTURER PRODUCT 1234ABCD FORD GT ABCD1234 CHEVY CORVETTE 1A2B3C4D DODGE CARAVAN A1B2C3D4   A8   I'd like to compare the two sourcetypes and see the results where VIN=SN, but MAKE!=MANUFACTURER OR MODEL!=PRODUCT. (Caveat - if any events in either sourcetype contain a null value, they can be ignored/excluded by the search.) From the example data above, ideally the search would display the following fields, and results would contain these two events (because VIN and SN match, but "CHEVROLET" does not equal "CHEVY", and "VIPER" does not equal "CARAVAN").   VIN MAKE MODEL SN MANUFACTURER PRODUCT 1A2B3C4D CHEVROLET CORVETTE 1A2B3C4D CHEVY CORVETTE ABCD1234 DODGE VIPER ABCD1234 DODGE CARAVAN   Hope this helps to clarify.  Please let me know if you have any questions or suggestions.  I appreciate your help! ... View more

Actually, the further I review this, the more confused I get.   In your example, why did you split makes and models?  Is it necessary to append data from one sourcetype to the other?  I assume so, otherwise the where command would be invalid. You're right, though.  The last three commands are key to the search.  As powerful as Splunk is, I'd sure think there's a much simpler process to search multiple sourcetypes with conditions applied.  (There truly is no comparison between the two, but I could create this query using Access in about 30 seconds.  However, the amount of data I'm searching is far too large for Access...) Thanks for any feedback you can provide. ... View more

Thanks for your response, bowesmana!  You've got me headed in the right direction. ... View more