https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382487#M173882 <P>Hello,</P> <P>I can't find out how to do a search to compare the same value in 2 fields, and if this is same value, add a third field.</P> <P>For exemple:<BR /> <STRONG>index1</STRONG> with <CODE>field1Index1</CODE> and <CODE>field2Index1</CODE><BR /> <STRONG>index2</STRONG> with <CODE>field1Index2</CODE></P> <P>In the search, if <CODE>field1Index1</CODE> = <CODE>field1Index2</CODE> then display <CODE>field1Index1</CODE> and <CODE>field2Index1</CODE> <BR /> NB: <CODE>field1Index1</CODE> associated to <CODE>field2Index1</CODE>in <STRONG>index1</STRONG></P> <P>I found different subjects on the forum with eval, if... but not with all that conditions.</P> <P>Can you help me?</P> <P>Thank you.</P> Fri, 28 Dec 2018 13:28:45 GMT ppiton 2018-12-28T13:28:45Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382487#M173882 <P>Hello,</P> <P>I can't find out how to do a search to compare the same value in 2 fields, and if this is same value, add a third field.</P> <P>For exemple:<BR /> <STRONG>index1</STRONG> with <CODE>field1Index1</CODE> and <CODE>field2Index1</CODE><BR /> <STRONG>index2</STRONG> with <CODE>field1Index2</CODE></P> <P>In the search, if <CODE>field1Index1</CODE> = <CODE>field1Index2</CODE> then display <CODE>field1Index1</CODE> and <CODE>field2Index1</CODE> <BR /> NB: <CODE>field1Index1</CODE> associated to <CODE>field2Index1</CODE>in <STRONG>index1</STRONG></P> <P>I found different subjects on the forum with eval, if... but not with all that conditions.</P> <P>Can you help me?</P> <P>Thank you.</P> Fri, 28 Dec 2018 13:28:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382487#M173882 ppiton 2018-12-28T13:28:45Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382488#M173883 <P>Can you try this ?<BR /> This will return results only if field1Index1=field1Index2</P> <P>| makeresults<BR /> | eval field1Index1= 4<BR /> | eval field2Index1= 7<BR /> | eval field1Index2= 4<BR /> | eval field1Index1New =case(field1Index1=field1Index2,field1Index1,field1Index2=field1Index1,field2Index1,1=0,0)<BR /> | where field1Index1New!=""<BR /> | table field2Index1 field1Index1New</P> Fri, 28 Dec 2018 14:17:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382488#M173883 saurabhkharkar 2018-12-28T14:17:27Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382489#M173884 <P>Ok but i don't need to set values 4 or 7.<BR /> I need to use values of search.<BR /> Thank you.</P> Fri, 28 Dec 2018 14:33:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382489#M173884 ppiton 2018-12-28T14:33:13Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382490#M173885 <P>yeah, all you have to use is </P> <P>index=index1 OR index=index2 <BR /> | eval field1Index1New =case(field1Index1=field1Index2,field1Index1,field1Index2=field1Index1,field2Index1,1=0,0)<BR /> | where field1Index1New!=""<BR /> | table field2Index1 field1Index1New</P> Fri, 28 Dec 2018 14:38:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-2-fields-in-different-indexes-to-add-a-third/m-p/382490#M173885 saurabhkharkar 2018-12-28T14:38:47Z