topic Re: Compare 2 field values from different sources. in Getting Data In

Compare 2 field values from different sources.

arrowecssupport — Tue, 29 Sep 2020 10:17:49 GMT

Scenario
We process emails looking for order numbers (ON). We need to be able to compare the order numbers we seen in the emails to our database. We're looking for matching and not matching order numbers.

How the data looks.
ON_email: 123, 234, 345, 456
ON_database: 123, 098, 456

Order numbers that match (seen in both database and emails): 123, 456
Order numbers only seen in database: 098
Order numbers only seen in emails: 234, 345

index = a OR index = b | table ON_email ON_database<< This works and shows all the data.
But when i try to compare i can't see any data.

Any ideas?

Re: Compare 2 field values from different sources.

woodcock — Fri, 22 Jul 2016 17:36:51 GMT

Try this:

index = a OR index = b | eval ON=coalesce(ON_email, ON_database) | stats dc(index) values(index) BY ON

Or maybe this:

index = a OR index = b | eval ON=coalesce(ON_email, ON_database) | stats values(ON) BY index

Re: Compare 2 field values from different sources.

sundareshr — Fri, 22 Jul 2016 17:58:38 GMT

Try this

index = a OR index = b | makemv ON_email delim="," | makemv delim=","  ON_database | eval ON=coalesce(ON_email, ON_database) | mvexpand ON | stats values(ON) by index

Re: Compare 2 field values from different sources.

gcusello — Sat, 23 Jul 2016 10:29:47 GMT

try this:

| eval count=0 | append [ search  | stats count by order_number ] | stats sum(count) AS Total | where Total>0

in this way you can find the result of the first search that are also in the second one.
Be careful: the field name must be the same in both the searches, id they aren't, rename one of them.
Bye.
Giuseppe

Re: Compare 2 field values from different sources.

gcusello — Fri, 09 Sep 2016 11:20:51 GMT

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe