topic Re: != in splunk in Splunk Search

!= in splunk

mithragangothri — Sun, 20 Nov 2016 07:38:35 GMT

i have two fields uderid and serial number. i need to find all the machines whose userid is not equal to serial number. how to do that . i tried with != operator ,NOT operator and all,nothong worked.please help

Re: != in splunk

SierraX — Sun, 20 Nov 2016 13:10:30 GMT

 {Base search} | eval eq=if(userid=snr, 1,2) | search eq=2

Re: != in splunk

Richfez — Sun, 20 Nov 2016 13:13:35 GMT

Try the match operator for eval/where.

You don't provide any events or your search, so I'm just guessing, but ...

... Your base search ... | where not match(userid,serialnumber)

This gets wonky if you have spaces in either field name, but if you can edit the question (or add a comment) with more information I'm sure we can get this sorted out for you.

Items to add that would help us help you? One or two of the searches you tried (that gives us context), perhaps a couple of events (which gives us data patterns). Be sure to use the code button to format each one!

Happy Splunking,
Rich

Re: != in splunk

SierraX — Sun, 20 Nov 2016 13:39:23 GMT

A search at splunk can't compare values from one key to another.
Not sure other BigData tools can do that directly at the search.
Anyway... the search was written very quick and the eval can also used as automatic generated field when needed. When you have it in a auto generated field... you can also filter it in your Base search

Re: != in splunk

martin_mueller — Sun, 20 Nov 2016 16:39:46 GMT

I wouldn't recommend match() because it expects a regular expression as its second argument. Depending on your serialnumber values that can get very ugly.
Instead, use != or NOT if you want "not equals": | where userid != serialnumber or | where NOT userid = serialnumber
Be aware this is a case sensitive comparison.

In the search command - especially before the first pipe -, userid != serialnumber treats serialnumber as "serialnumber" - you're looking for nonequality to a string. I'd say it's an early design decision in SPL to make searching for strings easier, at the cost of making comparing two fields with each other harder.

Re: != in splunk

mithragangothri — Mon, 21 Nov 2016 01:41:19 GMT

HI All,
thanks for your promt response. i tried all these possibility and no luck .
i will explain more elaboratively .

I need to know List of "outletID" where two field do NOT have same Value.
The two fields being UserName , Serialnumber from known index and source type .

i tried just like

index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where NOT UserName=serialNumber| table UserName OutletID

Also when i put |table username,outletid serialnumber it shows only username and outletid(only the 1st two fields).Why is this so?

Re: != in splunk

dbcase — Mon, 21 Nov 2016 12:28:52 GMT

Try this

index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where UserName!=serialNumber| table UserName OutletID

Re: != in splunk

SierraX — Mon, 21 Nov 2016 17:00:52 GMT

 index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where NOT UserName=serialNumber| table UserName OutletID serialNumber

Keys are always Case sensitive - Values are not Case sensitive by default, Field-names are Keys

When you are starting to develop a search:
Do first the search (without a where and table) to make sure you got Events
Then add your where modifier and see you have not as many events like before
Then add your table modifier and change from clever search mode to verbose search mode
When Fields in a Table are empty , means in general the Field is empty (with a "") or does not exist (with a NULL)... you have to take a look to the events to figure out

Without the events nobody here can say where your problems are. Especially when you are always change the case of keys in your descriptions of your problem.

Re: != in splunk

martin_mueller — Tue, 22 Nov 2016 08:31:36 GMT

The docs now explicitly mention how to compare fields: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Search#Comparing_two_fields