https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590547#M205604 <P>When you run the query without the <FONT face="courier new,courier">where </FONT>clause, can you see any event where&nbsp;<SPAN>actordisplayName is not the same as targetUser?</SPAN></P><P><SPAN>I can think of two reasons why the <FONT face="courier new,courier">where</FONT> clause would return no results:</SPAN></P><P><SPAN>1) Every user is changing his own password</SPAN></P><P><SPAN>2) The user names in the two fields are in different formats (with and without domain name, for instance).</SPAN></P><P><SPAN>Again I ask, Can you share some sanitized results?</SPAN></P> Thu, 24 Mar 2022 00:12:15 GMT richgalloway 2022-03-24T00:12:15Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590515#M205595 <P>Hi All,</P> <P>I was working on a case where i have 2 fields extracted as "actordisplayName" &amp; "targetUser" in the same raw log.</P> <P>actordisplayName - who initiated the change,&nbsp;targetUser - to which user it was changed.</P> <P>index=something&nbsp; displayMes="User update password"<BR />| where actordisplayName!= targetUser<BR />| table _time user, displayMes, actordisplayName, targetUser outcome.result<BR /><STRONG>Running this for 30 days</STRONG></P> <P><STRONG>Requirement: I need to search only for users where&nbsp;actordisplayName &amp;&nbsp;targetUser is not same.</STRONG></P> <P><STRONG>Eg: I want only the results for my admin/someone who has done password reset for me</STRONG>, I don't want the results for me resetting the passwords for my account. In short i need results for where&nbsp;<STRONG>actordisplayName &amp;&nbsp;targetUser </STRONG>is not same.</P> Wed, 23 Mar 2022 18:02:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590515#M205595 ChethanNP 2022-03-23T18:02:04Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590523#M205596 <P>How is that query failing to meet the requirements?&nbsp; Can you share some sanitized results?</P> Wed, 23 Mar 2022 18:58:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590523#M205596 richgalloway 2022-03-23T18:58:31Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590526#M205598 <P>I don't see any results when i use "<SPAN>| where actordisplayName!= targetUser</SPAN>", maybe because some or other day between 30 days the&nbsp;<SPAN>actordisplayName would be the targetUser.</SPAN></P> Wed, 23 Mar 2022 19:12:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590526#M205598 ChethanNP 2022-03-23T19:12:26Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590528#M205600 <P>Your query is not doing any summarization, so it should be fetching all rows where password has changed and your query should work just fine. Just remove the where clause and see if you can manually find a record where they're different.</P> Wed, 23 Mar 2022 19:32:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590528#M205600 somesoni2 2022-03-23T19:32:04Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590534#M205602 <P>yes, I did find the results using&nbsp;</P><LI-CODE lang="markup">index=something displayMes="User update password" | table _time user, displayMes, actordisplayName, targetUser outcome.result</LI-CODE><P>&nbsp;that is why i wanted to remove where&nbsp;actordisplayName!=targetUser &amp; see but that's not working.</P> Wed, 23 Mar 2022 20:54:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590534#M205602 ChethanNP 2022-03-23T20:54:47Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590547#M205604 <P>When you run the query without the <FONT face="courier new,courier">where </FONT>clause, can you see any event where&nbsp;<SPAN>actordisplayName is not the same as targetUser?</SPAN></P><P><SPAN>I can think of two reasons why the <FONT face="courier new,courier">where</FONT> clause would return no results:</SPAN></P><P><SPAN>1) Every user is changing his own password</SPAN></P><P><SPAN>2) The user names in the two fields are in different formats (with and without domain name, for instance).</SPAN></P><P><SPAN>Again I ask, Can you share some sanitized results?</SPAN></P> Thu, 24 Mar 2022 00:12:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590547#M205604 richgalloway 2022-03-24T00:12:15Z https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590648#M205643 <P>Fixed!</P><P>Thanks for the help</P><P>Resolution:&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=something displayMes="User update password" | where 'actordisplayName'!='targetUser' | table _time user, displayMes, actordisplayName, targetUser outcome.result</LI-CODE> Thu, 24 Mar 2022 11:49:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-the-results-matching-the-same-fields-as-another/m-p/590648#M205643 ChethanNP 2022-03-24T11:49:42Z