topic Re: How do you find the same field values but are in two different fields? in Splunk Search

How do you find the same field values but are in two different fields?

HealyManTech — Thu, 22 Feb 2018 14:04:05 GMT

I am trying to run a search to find the same field values will give me some results. An example would be if I wanted to see if an admin added himself to another group but it should have been someone else adding them. I am not sure how I would write something like that.

So something like if I have

field1=x and field2=y ignore 

field1=x and fielAny thoughts

Any thoughts?

Re: How do you find the same field values but are in two different fields?

elliotproebstel — Thu, 22 Feb 2018 14:51:36 GMT

If you just want to find events where the value in field1 matches the value in field2, that's very easy:

your base search that returns the events 
| where field1=field2

The where command will allow you to compare the values of the two fields.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where

Re: How do you find the same field values but are in two different fields?

HealyManTech — Thu, 22 Feb 2018 17:14:23 GMT

Worked thanks.

Just an FYI for anyone make sure you put that in before you table if you don't have those fields in your table command.

Re: How do you find the same field values but are in two different fields?

elliotproebstel — Thu, 22 Feb 2018 17:18:19 GMT

Good reminder for folks. Any transforming commands will potentially remove fields, so you must be careful to ensure you know which fields need to be preserved as you use them.