https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595069#M207072 <P>Why is bus/600 matched when there is a host with a different number on the same day?</P><P>Why is car/248 not matched when there isn't another entry for the same day?</P> Sun, 24 Apr 2022 16:33:08 GMT ITWhisperer 2022-04-24T16:33:08Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595065#M207069 <P>Team,<BR /><BR /><SPAN>I am having a query which would result as below.</SPAN></P> <TABLE width="334"> <TBODY> <TR> <TD width="142">_time</TD> <TD width="64">Host</TD> <TD width="64">Name</TD> <TD width="64">version</TD> </TR> <TR> <TD>3/2/2022&nbsp; 15:22:04 PM</TD> <TD>3</TD> <TD>car</TD> <TD>248</TD> </TR> <TR> <TD>3/1/2022&nbsp; 15:21:04 PM</TD> <TD>3</TD> <TD>car</TD> <TD>246</TD> </TR> <TR> <TD>3/1/2022&nbsp; 15:20:07PM</TD> <TD>2</TD> <TD>car</TD> <TD>246</TD> </TR> <TR> <TD>3/1/2022&nbsp; 15:20:03 PM</TD> <TD>3</TD> <TD>bus</TD> <TD>600</TD> </TR> <TR> <TD>3/1/2022&nbsp; 15:19:02 PM</TD> <TD>2</TD> <TD>bus</TD> <TD>600</TD> </TR> <TR> <TD>2/1/2022&nbsp; 15:20:03 PM</TD> <TD>3</TD> <TD>Toy</TD> <TD>600</TD> </TR> <TR> <TD>2/1/2022&nbsp; 15:19:02 PM</TD> <TD>2</TD> <TD>Toy</TD> <TD>248</TD> </TR> <TR> <TD>2/1/2022&nbsp; 14:19:02 PM</TD> <TD>2</TD> <TD>Toy</TD> <TD>248</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>After that i need final output like below.</P> <TABLE width="424"> <TBODY> <TR> <TD width="142">_time</TD> <TD width="64">Host</TD> <TD width="64">Name</TD> <TD width="64">version</TD> <TD width="90">Final</TD> </TR> <TR> <TD>2/1/2022&nbsp; 15:20:03 PM</TD> <TD>3</TD> <TD>Toy</TD> <TD>600</TD> <TD>Not matching</TD> </TR> <TR> <TD>3/1/2022&nbsp; 15:20:03 PM</TD> <TD>3</TD> <TD>bus</TD> <TD>600</TD> <TD>Matched</TD> </TR> <TR> <TD>3/1/2022&nbsp; 15:21:04 PM</TD> <TD>3</TD> <TD>car</TD> <TD>246</TD> <TD>Matched</TD> </TR> <TR> <TD>3/2/2022&nbsp; 15:22:04 PM</TD> <TD>3</TD> <TD>car</TD> <TD>248</TD> <TD>Not matching</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN>&nbsp;I&nbsp;</SPAN>am not sure to compare between columns itself. Could someone please help me out here.</P> <P>Thanks</P> Mon, 25 Apr 2022 15:08:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595065#M207069 Anud 2022-04-25T15:08:59Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595066#M207070 <P>What are your criteria for matching the columns?</P> Sun, 24 Apr 2022 13:55:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595066#M207070 ITWhisperer 2022-04-24T13:55:42Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595067#M207071 <P>Host is the criteria.</P><P>We need to check host latest and earliest time in a day... accordingly thier names and version have to compare.</P><P>Thankyou</P> Sun, 24 Apr 2022 14:58:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595067#M207071 Anud 2022-04-24T14:58:49Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595069#M207072 <P>Why is bus/600 matched when there is a host with a different number on the same day?</P><P>Why is car/248 not matched when there isn't another entry for the same day?</P> Sun, 24 Apr 2022 16:33:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595069#M207072 ITWhisperer 2022-04-24T16:33:08Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595072#M207075 <P>Here target is to check the version for the host and their names.</P><P>So we have only 2hosts...final version is compared to 2and 3hosts with their same names.</P><P>Sometimes it takes to another day,so we need compare pervious day host latest time.</P><P>Thank you</P> Sun, 24 Apr 2022 17:30:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595072#M207075 Anud 2022-04-24T17:30:29Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595080#M207079 <LI-CODE lang="markup">| eventstats dc(Host) as hosts by Name version | stats latest(_time) as _time latest(Host) as Host by Name version hosts | eval Final=if(hosts = 2, "Matched","Not matching")</LI-CODE> Sun, 24 Apr 2022 18:13:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/595080#M207079 ITWhisperer 2022-04-24T18:13:43Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/596113#M207515 <P>Thank you !!</P> Mon, 02 May 2022 06:58:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-the-values-with-the-time-and-host/m-p/596113#M207515 Anud 2022-05-02T06:58:22Z