https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591405#M205879 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>I suppose that you already checked if there's a space at the beginning or the eand of both values.</P><P>Anyway, please rename the field with dot and try again:</P><LI-CODE lang="markup">index=xxx sourcetype=xxxx .... | rename actor.alternateId AS alternateId | eval match=if(alternateId=src_user_email,"Match","No Match")</LI-CODE><P>sometimes dot gives problem in eval command.</P><P>Ciao.,</P><P>Giuseppe</P> Wed, 30 Mar 2022 06:38:31 GMT gcusello 2022-03-30T06:38:31Z https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591400#M205875 <P>Hi All,&nbsp;<BR />I need to filter my search based on the condition if the values of 2 fields are equal or not.&nbsp; The 2 fields in question are actor.alernateID&nbsp; and src_user_email and both fields are visible in the same event.<BR /><BR />For example:&nbsp; Raw data shows value of <STRONG>actor.alternateID</STRONG> is&nbsp; <STRONG>&nbsp;anand.pandey@company.com</STRONG><BR /><BR />&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_0-1648619765791.png" style="width: 555px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18834i1A1396217B4448E4/image-dimensions/555x274?v=v2" width="555" height="274" role="button" title="neerajs_81_0-1648619765791.png" alt="neerajs_81_0-1648619765791.png" /></span></P><P>Likewise, Raw data shows value or <STRONG>src_user_email</STRONG> is also same:&nbsp; <STRONG><A href="mailto:anand.pandey@company.com" target="_blank" rel="noopener">anand.pandey@company.com</A><BR /><BR /></STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_1-1648619923583.png" style="width: 576px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18835i5F014075FCC6710C/image-dimensions/576x163?v=v2" width="576" height="163" role="button" title="neerajs_81_1-1648619923583.png" alt="neerajs_81_1-1648619923583.png" /></span></P><P>If i run the following search,&nbsp; the value of the field <STRONG>match&nbsp;</STRONG> comes out to be <STRONG>"No match"</STRONG>&nbsp;.&nbsp; Why is eval showing them to be not a match if both field values are the same ?&nbsp;<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=xxx sourcetype=xxxx .... | eval match=if(actor.alternateId=src_user_email,"Match","No Match")</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="neerajs_81_3-1648620163158.png" style="width: 605px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/18839iA39974C55A634BE3/image-dimensions/605x214?v=v2" width="605" height="214" role="button" title="neerajs_81_3-1648620163158.png" alt="neerajs_81_3-1648620163158.png" /></span><BR /><BR />Likewise, instead&nbsp; if i&nbsp; use the where condition instead of eval&nbsp; ,&nbsp; this shows NO results to display;&nbsp; &nbsp;meaning&nbsp; even the where clause thinks both fields are different .&nbsp;&nbsp;<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">|where src_user_email = actor.alternateID</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The same is happening for other email IDs and other fields even though their values are same.</P><P>What am i doing wrong here?&nbsp;How to compare fields then?&nbsp; Both are strings.<STRONG><BR /><BR /></STRONG></P> Wed, 30 Mar 2022 06:08:42 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591400#M205875 neerajs_81 2022-03-30T06:08:42Z https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591405#M205879 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>I suppose that you already checked if there's a space at the beginning or the eand of both values.</P><P>Anyway, please rename the field with dot and try again:</P><LI-CODE lang="markup">index=xxx sourcetype=xxxx .... | rename actor.alternateId AS alternateId | eval match=if(alternateId=src_user_email,"Match","No Match")</LI-CODE><P>sometimes dot gives problem in eval command.</P><P>Ciao.,</P><P>Giuseppe</P> Wed, 30 Mar 2022 06:38:31 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591405#M205879 gcusello 2022-03-30T06:38:31Z https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591409#M205883 <P class="lia-align-left">Holly Molly <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp; Just when i was going thru your other post , you replied to my question.<BR /><A href="https://community.splunk.com/t5/Splunk-Search/comparing-fields-to-find-identical-values/m-p/533089" target="_blank">https://community.splunk.com/t5/Splunk-Search/comparing-fields-to-find-identical-values/m-p/533089</A>&nbsp;</P><P class="lia-align-left">Thank you so much that worked.&nbsp;&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span>&nbsp;&nbsp;<BR /><BR />Now is the . dot in the field name&nbsp; an issue with&nbsp; |<STRONG>search</STRONG>&nbsp; and <STRONG>|where&nbsp; </STRONG>clause&nbsp; also ?&nbsp; Because i did try comparing using both search and where&nbsp; in additional to eval&nbsp; as you mentioned in the other post and both didn't work.&nbsp; Do i need to <STRONG>rename </STRONG>the field if comparing via&nbsp; |search and |where as well ?</P> Wed, 30 Mar 2022 06:56:38 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591409#M205883 neerajs_81 2022-03-30T06:56:38Z https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591415#M205887 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>I'm not sure about all the situations where dot gives problem, I'm sure about eval!</P><P>But anyway, I always rename eventual fields with dot or parenthesis or spaces or other strange chars.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 30 Mar 2022 07:10:06 GMT https://community.splunk.com/t5/Splunk-Search/Eval-Comparision-shows-no-matches-despite-both-fields-having/m-p/591415#M205887 gcusello 2022-03-30T07:10:06Z