Hi @gcusello    I used your solution and it worked. I now only have to fix the bytes as they don't show up, but I will try to solve  it myself :D. Thanks!  ... View more

Unfortunately I get 0 results... ... View more

Hi @gcusello    My data is already 'summed' ->  This is how it is stored.  TOTAL_ATTACHMENT_SIZE_SEGMENT 5-25MB   When I try to run the query you provided it gives me an error: Error in 'stats' command: The argument '(TOTAL_ATTACHMENT_SIZE_SEGMENT)' is invalid. ... View more

Hi @gcusello  I can't seem to make it work. I'll try to explain more detailed.    I have two sources (sourcetypes basically).  Source A  User ID  Total bytes send   Source B  User ID User Email address    I want to calculate the total bytes send per User ID (For this I need Source A). Now Have I done this and the results generate an ID with the amount of Bytes send for each user.    The next step for me is to put the User Email Address next to the User ID.  This value is only known in Source B. So I need to correlate them together so that I can tell Splunk hey look up this UserID and give me User Email Address back in a table next to it.  I currently have the following:  index="ABC" source="SourceA" OR source="SourceB" | eval Total_Bytes_Size=TOTAL_ATTACHMENT_SIZE_SEGMENT | eval user=User | dedup User | where NOT Total_Bytes_Size="TOTAL_ATTACHMENT_SIZE_SEGMENT" | where NOT Total_Bytes_Size="0MB" | table User, Total_Bytes_Size | sort - Total_Bytes_Size This gives me a table with The UserID and the total Bytes size sent. Now I only need to add a row with the corresponding EMAIL_ADDRESS from source B.   Hope this clears it up a bit.      ... View more