https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639351#M221524 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254266">@hoseineagle</a>,</P><P>could you share some sample of your logs?</P><P>Ciao.</P><P>Giuseppe</P> Mon, 10 Apr 2023 10:15:22 GMT gcusello 2023-04-10T10:15:22Z https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639350#M221523 <DIV class=""> <DIV class="">Hi all,</DIV> <DIV class="">I have two fields. I want a splunk query that not a field contains another field.</DIV> <DIV class="">For example field1 is ::ffff:127.0.0.1 and the field2 is 127.0.0.1 , so I dont want to see the queries that field1 contains field2.</DIV> <DIV class="">Thank you</DIV> </DIV> Mon, 10 Apr 2023 16:56:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639350#M221523 hoseineagle 2023-04-10T16:56:16Z https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639351#M221524 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254266">@hoseineagle</a>,</P><P>could you share some sample of your logs?</P><P>Ciao.</P><P>Giuseppe</P> Mon, 10 Apr 2023 10:15:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639351#M221524 gcusello 2023-04-10T10:15:22Z https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639388#M221536 <P>If you want a simple comparison between two fields in the same event you just need to do a where command. Like</P><PRE>&lt;your_base_search&gt; <BR />| where fielda!=fieldb</PRE><P>Be warned however that it works much slower than if you were looking for some specific field values since Splunk has to retrieve all results from your base search and then - event by event - parse out your fields and verify whether they fit your criteria or not. So you should be as specific as you can in your base search anyway to limit data Splunk needs to fetch from indexes.</P><P>EDIT: I see you don't want a simple equality comparison but a more complicated one. That's ok, you can use the "where" command with any expression that yields boolean results so you can use - for example - like() function.</P> Mon, 10 Apr 2023 17:06:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639388#M221536 PickleRick 2023-04-10T17:06:41Z https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639414#M221546 <P>Try something like this (replace line one with your search)</P><LI-CODE lang="markup">| makeresults | eval field1="::ffff:127.0.0.1", field2="127.0.0.1" | where like(field1,"%".field2)</LI-CODE> Mon, 10 Apr 2023 19:23:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639414#M221546 somesoni2 2023-04-10T19:23:32Z https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639459#M221561 <P>It looks like the OP wants the opposite. &nbsp;So</P><LI-CODE lang="markup">| where NOT like(field1,"%".field2)</LI-CODE><P>Anyway, what you are asking seems quite domain-specific. &nbsp;So, this may not be the generalization your application calls for.</P> Tue, 11 Apr 2023 07:28:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-result-of-if-a-field-not-contains-another-field/m-p/639459#M221561 yuanliu 2023-04-11T07:28:59Z