https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615924#M214140 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248856">@metylkinandrey</a>,</P><P>if the structure of the second field is fixed, you can use a regex to extract a part of the second field to compare with the first field, something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | rex field=field2 "^(?&lt;field2_num&gt;\d+)\." | search field1=field2_num</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 05 Oct 2022 06:51:18 GMT gcusello 2022-10-05T06:51:18Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615923#M214139 <P>Prompt as I can make arithmetic comparison of two fields. Comparison: more, less.<BR />The first field consists of numbers: field="1", field="2"<BR />The second of numbers and letters: field="1.route", field="2.route"</P> Wed, 05 Oct 2022 13:23:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615923#M214139 metylkinandrey 2022-10-05T13:23:41Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615924#M214140 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248856">@metylkinandrey</a>,</P><P>if the structure of the second field is fixed, you can use a regex to extract a part of the second field to compare with the first field, something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | rex field=field2 "^(?&lt;field2_num&gt;\d+)\." | search field1=field2_num</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 05 Oct 2022 06:51:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615924#M214140 gcusello 2022-10-05T06:51:18Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615992#M214141 <P>Giuseppe, Hello!<BR />I do not quite understand how it works, it gives an error:<BR />error in 'rex' command: The regex '(routepointID)=routepointID2' does not extract anything. It should specify at least one named group. Format: (?&lt;name&gt;...).</P><P>What am I doing:<BR />| rex routepointID=routepointID2 "^(?&lt;routepointID2_num&gt;\d+)\."</P><P>What I need:<BR />Where: "routepointID": "1.SAPS-SIS.TO.LSP.SEND" or "routepointID": "2.SAPS-SIS.TO.LSP.RECEIVE"</P><P>I want to receive: "routepointID2_num": "1" or "routepointID2_num": "1"</P> Wed, 05 Oct 2022 13:58:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/615992#M214141 metylkinandrey 2022-10-05T13:58:01Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616016#M214142 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248856">@metylkinandrey</a>,</P><P>read again the rex command syntax at <A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex</A> :</P><LI-CODE lang="markup">| rex field=routepointID "^(?&lt;routepointID_num&gt;\d+)\."</LI-CODE><P>Could youshare a sample of your logs?</P><P>I have to understand if you have both the values in the same event or in two different events for the comparison.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 05 Oct 2022 15:13:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616016#M214142 gcusello 2022-10-05T15:13:56Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616120#M214143 <P>Giuseppe, within one message, the field can take only one value, either: 1.SAPS-SIS.TO.LSP.SEND, or: "2.SAPS-SIS.TO.LSP.RECEIVE".<BR />I still don't understand what I need<BR />AT:<BR />| rex field=routepointID "^(?&lt;routepointID_num&gt;\d+)\."<BR />What does refer to: field?<BR />Am I doing the right thing if I want to get a new field "routepointIDnum": "1" or "routepointIDnum": "2"<BR />So?<BR />| rex routepointIDnum=routepointID "^(?&lt;routepointID_num&gt;\d+)\."</P><P>&lt;routepointID_num&gt; - what should I substitute instead?</P> Thu, 06 Oct 2022 09:55:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616120#M214143 metylkinandrey 2022-10-06T09:55:05Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616136#M214144 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248856">@metylkinandrey</a>,</P><P>as you can read in the above link (<A href="https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex" target="_blank" rel="nofollow noopener noreferrer">https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex</A><SPAN>&nbsp;)</SPAN>, in the rex command you can specify a field for regex application,</P><P>in other words, if you don't specify any field, the regex is applied to the entire event (_raw),</P><P>if instead you specify a field, the regex is appliad, as in your case, only to the specified field.</P><P>The meaning of the command I sent you is:</P><P>take in the field "<SPAN>routepointID"&nbsp;the number that is at the beginning of the field and put it in a field called "routepointID_num"</SPAN></P><P><SPAN>In this way, in the&nbsp;routepointID_num field you have the numbers to match.</SPAN></P><P><SPAN>For this reason you cannot put the condition in the rex command, but you have to put it in the following command.</SPAN></P><P><SPAN>The questions now are: </SPAN></P><UL><LI><SPAN>are the two values of routepointID field for field extraction and comparison in the same event or in two different events?</SPAN></LI><LI><SPAN>and, if they are in two events, how can I correlate them? there's a common value in a field (a correlation key)?</SPAN></LI></UL><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Thu, 06 Oct 2022 10:20:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616136#M214144 gcusello 2022-10-06T10:20:19Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616160#M214145 <P><SPAN>Giuseppe,&nbsp;thank you!</SPAN></P><P><SPAN>Figured it out, it worked:</SPAN></P><P><SPAN>index="main" sourcetype="testsystem-script333" </SPAN></P><P><SPAN>| rex field=routepointID "^(?&lt;routepointID_num&gt;\d+)\." </SPAN></P><P><SPAN>| table routepointID_num</SPAN></P><P>&nbsp;</P> Thu, 06 Oct 2022 11:08:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616160#M214145 metylkinandrey 2022-10-06T11:08:28Z https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616166#M214146 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/248856">@metylkinandrey</a>,</P><P>if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 06 Oct 2022 12:12:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-comparison-of-a-field-with-a-digit-with-a-field/m-p/616166#M214146 gcusello 2022-10-06T12:12:21Z