https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385564#M112594 <P>Hello Splunkers,</P> <P>I am attempting to match values (IP addresses) between FieldA in a search, and FieldB in an inputlookup. I want to come out with a table of only values in FieldB that are also in FieldA. Some pseudocode to explain my logic:</P> <PRE><CODE>myList = [] for value in FieldB: if value in FieldA: myList.append(value) </CODE></PRE> <P>I have attempted to use <EM>appendcols</EM>, <EM>append</EM>, <EM>if(like(..))</EM>, <EM>(if(match(..))</EM>, and simply <EM>search [|inputlookup ...] | where fieldA=fieldB</EM> without any luck. Comparing the fields directly with <EM>where fieldB=fieldA</EM> also does not provide any successful results. I am unable to simply compare in a list of values as strings, as there are potentially hundreds of thousands of distinct values.</P> <P>It is also noticeable that the name of fieldB (dest_ip) actually does exist in the ad-hoc search result set, but I am not at all concerned with those values, only those in the inputlookup.</P> <P>Any help to a Splunk newbie is much appreciated, thank you!</P> <P>edit - I did find partial success combining values(fieldA) and values(fieldB) in mv-fields and then expanding and checking against the values in the other. I got true positive results, but both data sets are so large that it far exceeds my memory limits for just a 60 minute window - let alone 1-3 months that I need.</P> Fri, 15 Jun 2018 23:12:13 GMT alexbradley 2018-06-15T23:12:13Z https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385564#M112594 <P>Hello Splunkers,</P> <P>I am attempting to match values (IP addresses) between FieldA in a search, and FieldB in an inputlookup. I want to come out with a table of only values in FieldB that are also in FieldA. Some pseudocode to explain my logic:</P> <PRE><CODE>myList = [] for value in FieldB: if value in FieldA: myList.append(value) </CODE></PRE> <P>I have attempted to use <EM>appendcols</EM>, <EM>append</EM>, <EM>if(like(..))</EM>, <EM>(if(match(..))</EM>, and simply <EM>search [|inputlookup ...] | where fieldA=fieldB</EM> without any luck. Comparing the fields directly with <EM>where fieldB=fieldA</EM> also does not provide any successful results. I am unable to simply compare in a list of values as strings, as there are potentially hundreds of thousands of distinct values.</P> <P>It is also noticeable that the name of fieldB (dest_ip) actually does exist in the ad-hoc search result set, but I am not at all concerned with those values, only those in the inputlookup.</P> <P>Any help to a Splunk newbie is much appreciated, thank you!</P> <P>edit - I did find partial success combining values(fieldA) and values(fieldB) in mv-fields and then expanding and checking against the values in the other. I got true positive results, but both data sets are so large that it far exceeds my memory limits for just a 60 minute window - let alone 1-3 months that I need.</P> Fri, 15 Jun 2018 23:12:13 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385564#M112594 alexbradley 2018-06-15T23:12:13Z https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385565#M112595 <P>Try <CODE>index=foo [| inputlookup myList.csv | format]</CODE></P> Sat, 16 Jun 2018 01:22:22 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385565#M112595 richgalloway 2018-06-16T01:22:22Z https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385566#M112596 <P>Hi alexbradley,<BR /> you have to use a subsearch using attention that the field name used in main search and subsearch is the same, so in your example:</P> <PRE><CODE>index=my_index [ | inputlookup my_lookup.csv | rename fieldB AS fieldA | fields fieldA ] | table _time fieldA </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Sat, 16 Jun 2018 08:00:54 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385566#M112596 gcusello 2018-06-16T08:00:54Z https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385567#M112597 <P>Thanks for your input Giuseppe; unless I grossly misunderstand, however, this doesn't find matching values between the two fields - rather gives me listings of events with fields FieldA and _time without regard to matching between the ad-hoc search and the inputlookup.</P> Sat, 16 Jun 2018 18:50:15 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385567#M112597 alexbradley 2018-06-16T18:50:15Z https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385568#M112598 <P>Have you tried the search? Your comment implies you have not.</P> <P>Subsearches are like parentheses in math - they come first. The <CODE>|inputlookup...</CODE> subsearch expands into a list of fieldA values that, when combined with <CODE>index=my_index</CODE> creates a search through my_index for all fieldA values present in the lookup table. That's sounds like what you're looking for.</P> Sun, 17 Jun 2018 16:01:28 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385568#M112598 richgalloway 2018-06-17T16:01:28Z https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385569#M112599 <P>Now with less weekend-brain: I do see what you're getting at and will run this at the first opportunity. Thanks for the clarification, richgalloway.</P> Wed, 20 Jun 2018 21:32:20 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-values-between-two-different-fields-in-ad-hoc-search/m-p/385569#M112599 alexbradley 2018-06-20T21:32:20Z