https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576208#M200808 <P>Hi -&nbsp;<BR />I have some data that looks like this, which ingests into splunk with no issues at all</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">11/24/2021 08:47:21.321,"category":"transaction","tc"="93","amount_approved":"9.99","amount_requested":"493.95" etc etc etc 11/24/2021 08:45:14.121,"category":"transaction","tc"="93","amount_approved":"5.99","amount_requested":"5.99" etc etc etc 11/24/2021 08:45:14.121,"category":"transaction","tc"="01","amount_approved":"6.99","amount_requested":"6.99" etc etc etc</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I want to do a a search to filter out the transactions to only see where the amounts differ</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=ABC sourcetype=XZX category=transaction tc=93 amount_approved!=amount_requested</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;That simple search doesn't work.&nbsp;&nbsp;&nbsp;&nbsp; splunk is not filtering on the <EM>amount_approved!=amount_requested&nbsp;</EM>comparison. &nbsp; &nbsp; In the example above I would get both "tc=93" transactions from the sample data , instead of just getting the first one.<BR /><BR />If I remove the <EM>amount_approved!=amount_requested</EM>&nbsp; from the search and add it to a where clause like this<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=ABC sourcetype=XZX category=transaction tc=93 |where amount_approved!=amount_requested</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>it works fine as I only get 1 event back.<BR />What is wrong with my initial search line?<BR /><BR />I would like to not read in all of the transactions before I filter, hence the need to put the comparison on the search line.&nbsp;</P> Wed, 24 Nov 2021 15:59:29 GMT randy_moore 2021-11-24T15:59:29Z https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576208#M200808 <P>Hi -&nbsp;<BR />I have some data that looks like this, which ingests into splunk with no issues at all</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">11/24/2021 08:47:21.321,"category":"transaction","tc"="93","amount_approved":"9.99","amount_requested":"493.95" etc etc etc 11/24/2021 08:45:14.121,"category":"transaction","tc"="93","amount_approved":"5.99","amount_requested":"5.99" etc etc etc 11/24/2021 08:45:14.121,"category":"transaction","tc"="01","amount_approved":"6.99","amount_requested":"6.99" etc etc etc</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I want to do a a search to filter out the transactions to only see where the amounts differ</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=ABC sourcetype=XZX category=transaction tc=93 amount_approved!=amount_requested</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;That simple search doesn't work.&nbsp;&nbsp;&nbsp;&nbsp; splunk is not filtering on the <EM>amount_approved!=amount_requested&nbsp;</EM>comparison. &nbsp; &nbsp; In the example above I would get both "tc=93" transactions from the sample data , instead of just getting the first one.<BR /><BR />If I remove the <EM>amount_approved!=amount_requested</EM>&nbsp; from the search and add it to a where clause like this<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=ABC sourcetype=XZX category=transaction tc=93 |where amount_approved!=amount_requested</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>it works fine as I only get 1 event back.<BR />What is wrong with my initial search line?<BR /><BR />I would like to not read in all of the transactions before I filter, hence the need to put the comparison on the search line.&nbsp;</P> Wed, 24 Nov 2021 15:59:29 GMT https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576208#M200808 randy_moore 2021-11-24T15:59:29Z https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576213#M200810 <P>The first query fails because the <FONT face="courier new,courier">search</FONT> command cannot handle a field name on both sides of an expression.&nbsp; The <FONT face="courier new,courier">where</FONT> command, however, does handle such an expression.</P> Wed, 24 Nov 2021 16:21:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576213#M200810 richgalloway 2021-11-24T16:21:45Z https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576217#M200812 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;&nbsp;&nbsp; I knew it was something simple that I had forgotten about.&nbsp;&nbsp; Says exactly that in the search reference guide, here: <A href="https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/Search" target="_blank" rel="noopener">Search Ref Guide</A>&nbsp;<BR /><BR /><STRONG><EM><SPAN class="">Comparing two fields</SPAN></EM></STRONG></P><P><EM>To compare two fields,&nbsp;<STRONG>do not</STRONG>&nbsp;specify&nbsp;index=myindex fieldA=fieldB&nbsp;or&nbsp;index=myindex fieldA!=fieldB&nbsp;with the&nbsp;search&nbsp;command. When specifying a comparison_expression, the&nbsp;search&nbsp;command expects a &lt;field&gt; compared with a &lt;value&gt;. The&nbsp;search&nbsp;command interprets&nbsp;fieldB&nbsp;as the value, and not as the name of a field.</EM></P><P><EM>Use thewherecommand to compare two fields.<BR /><BR /></EM>Thanks again<EM>!<BR /></EM></P> Wed, 24 Nov 2021 16:54:18 GMT https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576217#M200812 randy_moore 2021-11-24T16:54:18Z https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576239#M200827 <P>Appreciate the details. Very Helpful!</P><P>&nbsp;</P> Wed, 24 Nov 2021 19:46:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-comparison-not-working/m-p/576239#M200827 Sum_Var 2021-11-24T19:46:41Z