Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Compare 2 field values from different sources.

arrowecssupport
Communicator
‎07-22-2016 10:21 AM

Scenario
We process emails looking for order numbers (ON). We need to be able to compare the order numbers we seen in the emails to our database. We're looking for matching and not matching order numbers.

How the data looks.
ON_email: 123, 234, 345, 456
ON_database: 123, 098, 456

Order numbers that match (seen in both database and emails): 123, 456
Order numbers only seen in database: 098
Order numbers only seen in emails: 234, 345

index = a OR index = b | table ON_email ON_database<< This works and shows all the data.
But when i try to compare i can't see any data.

Any ideas?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-23-2016 03:29 AM

try this:

| eval count=0 | append [ search  | stats count by order_number ] | stats sum(count) AS Total | where Total>0

in this way you can find the result of the first search that are also in the second one.
Be careful: the field name must be the same in both the searches, id they aren't, rename one of them.
Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-09-2016 04:20 AM

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Reply

sundareshr
Legend
‎07-22-2016 10:58 AM

Try this

index = a OR index = b | makemv ON_email delim="," | makemv delim=","  ON_database | eval ON=coalesce(ON_email, ON_database) | mvexpand ON | stats values(ON) by index
0 Karma
Reply

woodcock
Esteemed Legend
‎07-22-2016 10:36 AM

Try this:

index = a OR index = b | eval ON=coalesce(ON_email, ON_database) | stats dc(index) values(index) BY ON

Or maybe this:

index = a OR index = b | eval ON=coalesce(ON_email, ON_database) | stats values(ON) BY index
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...