https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558552#M158667 <P>I am trying to make a comparison of one field against itself but from a previous day.&nbsp; The use case is I'm trying to see if that value changes from day to day, the field is a file hash.&nbsp; I sun a search for today and rename the field I want to compare then run a subsearch and rename the field again so I can then compare them after the subsearch finishes but the eval always evaluates to false and displays the last response you place in the eval line.&nbsp;&nbsp;</P><P>My code:</P><P>index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"<BR />| rename FileHash as "todays_hash"<BR />| append [ search&nbsp;index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"<BR />| rename FileHash as "yesterdays_hash"]<BR />| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")<BR />| table description todays_hash yesterdays_hash</P><P>&nbsp;</P><P>I have tried changing the order of the eval putting != before == and it will always take the second options.&nbsp; The table it showing the eval results and the 2 hashes.</P><P>Thanks!</P> Wed, 07 Jul 2021 13:12:18 GMT mybestfriendbob 2021-07-07T13:12:18Z https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558552#M158667 <P>I am trying to make a comparison of one field against itself but from a previous day.&nbsp; The use case is I'm trying to see if that value changes from day to day, the field is a file hash.&nbsp; I sun a search for today and rename the field I want to compare then run a subsearch and rename the field again so I can then compare them after the subsearch finishes but the eval always evaluates to false and displays the last response you place in the eval line.&nbsp;&nbsp;</P><P>My code:</P><P>index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00"<BR />| rename FileHash as "todays_hash"<BR />| append [ search&nbsp;index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00"<BR />| rename FileHash as "yesterdays_hash"]<BR />| eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed")<BR />| table description todays_hash yesterdays_hash</P><P>&nbsp;</P><P>I have tried changing the order of the eval putting != before == and it will always take the second options.&nbsp; The table it showing the eval results and the 2 hashes.</P><P>Thanks!</P> Wed, 07 Jul 2021 13:12:18 GMT https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558552#M158667 mybestfriendbob 2021-07-07T13:12:18Z https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558574#M158676 <P>The append command creates separate events for the results of the subsearch.&nbsp; IOW, the first set of events will contain a todays_hash field, but not a yesterdays_hash" field and the appended events will contain a yesterdays_hash field, but not a todays_hash field.&nbsp; The solution is to use the stats command to combine the events on a common field.</P><LI-CODE lang="markup">index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/11/2021:00:00:00" latest="06/11/2021:24:00:00" | rename FileHash as "yesterdays_hash" | append [ search index=my_index RuleName="Monitor The File" FileName="file.exe" earliest="06/12/2021:00:00:00" latest="06/12/2021:24:00:00" | rename FileHash as "todays_hash"] | stats values(*) as * by FileName | eval description=case(todays_hash=yesterdays_hash,"Hash has not changed", todays_hash!=yesterdays_hash,"Hash has changed") | table FileName description todays_hash yesterdays_hash</LI-CODE> Wed, 07 Jul 2021 14:20:44 GMT https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558574#M158676 richgalloway 2021-07-07T14:20:44Z https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558600#M158692 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/186952">@mybestfriendbob</a>&nbsp;</P><P>You can try this also.</P><LI-CODE lang="markup">index=my_index RuleName="Monitor The File" FileName="file.exe" earliest=-1d@d | eval FileHash = if( _time&gt;=relative_time(now(), "@d"),FileHash,null()) | eval PrevFileHash = if( _time&lt;relative_time(now(), "@d"),FileHash,null()) | stats values(*) as * by FileName | eval description=case(FileHash=PrevFileHash,"Hash has not changed", FileHash!=PrevFileHash,"Hash has changed") | table FileName description FileHash PrevFileHash</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Wed, 07 Jul 2021 16:48:22 GMT https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558600#M158692 kamlesh_vaghela 2021-07-07T16:48:22Z https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558688#M158730 <P>That worked perfectly, thanks!</P> Thu, 08 Jul 2021 13:31:49 GMT https://community.splunk.com/t5/Splunk-Search/Running-an-eval-after-a-sub-search-make-my-comparison-negative/m-p/558688#M158730 mybestfriendbob 2021-07-08T13:31:49Z