https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248402#M74132 <P>Try this. It will show event in the subsearch that are not in the main search.</P> <PRE><CODE>| ldapsearch search=(&amp;(objectClass=group)(cn=OMITTED)) attrs="member" | mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| join type=inner Field1 [search sourcetype="OMITTED2" source="OMITTED3" OMITTED4=OMITTED5| rename OMITTED6 AS Field1] </CODE></PRE> Mon, 28 Nov 2016 17:59:37 GMT richgalloway 2016-11-28T17:59:37Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248401#M74131 <P>Hi community,</P> <P>I have a combined search which includes two sourcetypes. Both include a field with a username. Let's say it looks like this:</P> <P>Sourcetype1 <STRONG>Field1</STRONG>: </P> <P>User1<BR /> User2</P> <P>Sourcetype2 <STRONG>Field2</STRONG>:</P> <P>User1<BR /> User2<BR /> <EM>User3</EM></P> <P>I need the values that are present in <STRONG>Field2</STRONG>, and are not in <STRONG>Field1</STRONG>. The other way around is not of interest, so a simple count and looking at &lt;2 is not an option. So, my search needs to reflect that <STRONG>User3</STRONG> is a value of an event in <STRONG>Field2</STRONG>, but not a value of an event in <STRONG>Field1</STRONG>.</P> <P>How do I do that within my search?</P> <P>The search itself:</P> <PRE><CODE>| ldapsearch search=(&amp;(objectClass=group)(cn=*OMITTED*)) attrs="member" | mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| append [search sourcetype="*OMITTED2*" source="*OMITTED3*" *OMITTED4*=*OMITTED5*| rename *OMITTED6* AS Field2] </CODE></PRE> <P>With many thanks! </P> Mon, 28 Nov 2016 16:43:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248401#M74131 splunkerneedshe 2016-11-28T16:43:34Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248402#M74132 <P>Try this. It will show event in the subsearch that are not in the main search.</P> <PRE><CODE>| ldapsearch search=(&amp;(objectClass=group)(cn=OMITTED)) attrs="member" | mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| join type=inner Field1 [search sourcetype="OMITTED2" source="OMITTED3" OMITTED4=OMITTED5| rename OMITTED6 AS Field1] </CODE></PRE> Mon, 28 Nov 2016 17:59:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248402#M74132 richgalloway 2016-11-28T17:59:37Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248403#M74133 <P>It gives back 0 results. If I place:</P> <P><EM>join type=inner SOME_BOGUS_FIELD</EM></P> <P>instead of</P> <P><EM>join type=inner Field1</EM> </P> <P>It gives results. But way less values for Field2 than I would expect. So something is not working correctly. Maybe that has to do with the ldapsearch module. I tried converting Field1 to string using:</P> <P><EM>eval Field1=tostring(Field1)</EM></P> <P>but that did not help. </P> <P>Do you have any idea how to proceed?</P> Tue, 29 Sep 2020 11:59:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248403#M74133 splunkerneedshe 2020-09-29T11:59:43Z https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248404#M74134 <P>Perhaps I renamed the wrong OMITTED field to Field1. Modify the query so Field1 is the same in both the main search and the subsearch.</P> Tue, 29 Nov 2016 13:22:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-compare-values-from-two-fields-from-different-sources-but/m-p/248404#M74134 richgalloway 2016-11-29T13:22:24Z