Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

match 2 fields with same value

ecanmaster
Explorer
‎11-22-2017 07:23 AM

I have a search and need to match 2 fields and show the match. I tried eval match(field1, field2) and eval results = if(match(field2,field1)) , but that failes

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎11-22-2017 08:53 AM

I think you may be making some incorrect assumptions about how things work.

The answers you are getting have to do with testing whether fields on a single event are equal.

If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case.

Here's the basic stats version. Try to use this form if you can, because it's usually most efficient...

(index=foo1 some other search for record with field1) OR 
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield

Here's a basic join version... 

(index=foo1 some other search for record with field1) 
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search 
    index=foo2 some other search for records with field2 
   | fields index field2 whatever you need from field2 record
   | eval matchfield=field2
   ]

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎11-22-2017 08:53 AM

I think you may be making some incorrect assumptions about how things work.

The answers you are getting have to do with testing whether fields on a single event are equal.

If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case.

Here's the basic stats version. Try to use this form if you can, because it's usually most efficient...

(index=foo1 some other search for record with field1) OR 
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield

Here's a basic join version... 

(index=foo1 some other search for record with field1) 
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search 
    index=foo2 some other search for records with field2 
   | fields index field2 whatever you need from field2 record
   | eval matchfield=field2
   ]
Reply
Solved! Jump to solution

ecanmaster
Explorer
‎11-22-2017 08:16 AM

It seems that field1 and field2 cannot be gathered from the main search, so I need to get a subsearch that gets fields 2 and then I have search for the same value's

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-22-2017 08:37 AM

@ecanmaster, as per your question @micahkemp's answer would suffice the need. Seems like your data is not as per the condition provided in your question. So can you add sample events for the two fields with the field names? Also if you add a details around what is the desired output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-22-2017 07:49 AM

Hi @ecanmaster,

Can you please try this?

| makeresults 
| eval field1="MyValue",field2="MyValue" 
| eval results1=if(field1=field2,"Yes","No") 
| eval results2=if(match(field1,field2),"Yes","No")

Here results1 shows the direct comparison of two fields.
Here results1 shows the comparison of two fields using match.
If you want to filter events where both fields are same then use below condition.

| where match(field1,field2)

Thanks

Reply
Solved! Jump to solution

micahkemp
Champion
‎11-22-2017 07:27 AM

Try:

| where field2=field1

match uses regex, not values from other fields, but where will compare two fields.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...