https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71778#M17934 <P>I think I have it figured out - it's a weird one! Field names are supposed to contain letters, numerals or the underscore, and must start with a letter. <CODE>name-combo</CODE> violates this rule, but Splunk doesn't complain! The reason why it doesn't work is that in the if statement, Splunk interprets your test as `name - combo = name" - this will never match...</P> <P>So change <CODE>name-combo</CODE> to <CODE>name_combo</CODE> and it should work.</P> Wed, 26 Sep 2012 22:37:29 GMT lguinn2 2012-09-26T22:37:29Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71773#M17929 <P>I have the output of a firewall config, i want to make sure that our naming standard is consistent with the actual function of the network object.</P> <P>I have a table of the name of the object and the subnet and mask. I want to compare the name and name-combo fields to see if they are the same, and show only those that are not the same.</P> <P>example row<BR /> cluster name name-combo subnet bits match<BR /> 1 FW1-2 NET69.90.64.0-20 NET69.90.64.0-20 69.90.64.0 20 No Match<BR /> 2 FW1-2 NET69.90.63.0-8 NET69.90.63.0-20 69.90.64.0 20 No Match</P> <P>here is my search</P> <PRE><CODE>`abc_firewall_rules` eventtype=subnet [search index="abc_rules" eventtype=subnet | dedup cluster | fields + source] | dedup name,cluster | eval name-combo="NET".subnet."-".bits | eval match=if(name-combo=name,"Match","No Match") | table cluster,name,name-combo,subnet,bits,match </CODE></PRE> <P>row 1 should show match and row 2 should show no match..</P> <P>have tried using | where NOT name=name-combo<BR /> have tried using | where name!=name-combo</P> <P>all show ro results found but in my sample data there are rows that do not match and should show up..</P> <P>any ideas ?</P> Wed, 26 Sep 2012 16:25:36 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71773#M17929 EricPartington 2012-09-26T16:25:36Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71774#M17930 <P>I usually do some checks on my fields when this happens using eval to makes sure that i'm comparing what I expect. This should be comparing string to string but make the types are ok "eval test = if( isstr(name)", "String", "Not String" } table test)". Everything looks good as far as i can tell.</P> Wed, 26 Sep 2012 18:39:38 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71774#M17930 sdaniels 2012-09-26T18:39:38Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71775#M17931 <P>If your search is working properly, you should have output, regardless of whether things match or not. Does this search return any results? What does the search job inspector say?</P> <PRE><CODE>`abc_firewall_rules` eventtype=subnet [search index="abc_rules" eventtype=subnet | dedup cluster | fields + source] </CODE></PRE> <P>I am guessing that this is a problem with your search, not your logic.</P> Wed, 26 Sep 2012 18:45:55 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71775#M17931 lguinn2 2012-09-26T18:45:55Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71776#M17932 <P>well getting somewhere now..</P> <P>appears that my field name-combo is not a string (thanks for your test command).</P> <P>so i tried to convert the field to string with<BR /> eval name-combo=tostring(name-combo)<BR /> however not able to get a "string" output from that</P> Wed, 26 Sep 2012 18:47:22 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71776#M17932 EricPartington 2012-09-26T18:47:22Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71777#M17933 <P>the search is fine, i get results from that search, the problem appears to be the concat string isnt coming out as a string to compare with</P> Wed, 26 Sep 2012 18:48:53 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71777#M17933 EricPartington 2012-09-26T18:48:53Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71778#M17934 <P>I think I have it figured out - it's a weird one! Field names are supposed to contain letters, numerals or the underscore, and must start with a letter. <CODE>name-combo</CODE> violates this rule, but Splunk doesn't complain! The reason why it doesn't work is that in the if statement, Splunk interprets your test as `name - combo = name" - this will never match...</P> <P>So change <CODE>name-combo</CODE> to <CODE>name_combo</CODE> and it should work.</P> Wed, 26 Sep 2012 22:37:29 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71778#M17934 lguinn2 2012-09-26T22:37:29Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71779#M17935 <P>i have a similar problem. I apply a filter after stats:</P> <PRE><CODE>stats dc(field1) as someCount dc(someThing) as otherCount by group | search NOT someCount=otherCount </CODE></PRE> <P>The above search returns all values, regardless of whether they match or not, so assuming its checking where someCount matches a literal of "otherCount". This works:</P> <PRE><CODE>... | eval countDiff=someCount-otherCount | search NOT countDiff=0 </CODE></PRE> <P>HTH</P> Mon, 28 Jan 2013 08:27:22 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71779#M17935 brettcave 2013-01-28T08:27:22Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71780#M17936 <P>Actually Brett, your problem is different.</P> <P><CODE>| search NOT someCount=otherCount</CODE> </P> <P>is interpreted as</P> <P><CODE>| search NOT someCount="otherCount"</CODE></P> <P>search always searches for name=value, whether you use the quotes around the value or not. You could make the first search work by using <CODE>where</CODE> instead:</P> <P><CODE>... | stats dc(field1) as someCount dc(someThing) as otherCount by group <BR /> | where NOT someCount=otherCount</CODE></P> Fri, 08 Feb 2013 20:43:51 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/71780#M17936 lguinn2 2013-02-08T20:43:51Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/543565#M153969 <P>what if 1 field&nbsp; with string "A" is the substring&nbsp; of flied "B"?<BR /><STRONG>|where B=*A* ,&nbsp;</STRONG><BR />how can we find out that?<BR /><BR /><BR /></P> Fri, 12 Mar 2021 17:01:41 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/543565#M153969 payal4296 2021-03-12T17:01:41Z https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/543651#M153995 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129849">@payal4296</a>,</P><P>Please try below; checking if field A is a substring of field B...</P><LI-CODE lang="markup">| eval A="%".A."%" | where B like A</LI-CODE><P>&nbsp;</P> Sat, 13 Mar 2021 15:27:27 GMT https://community.splunk.com/t5/Splunk-Search/compare-two-field-values-for-equality/m-p/543651#M153995 scelikok 2021-03-13T15:27:27Z