Solved: Re: Correct way to use NOT match

jacqu3sy · ‎01-17-2020

Hi,

Whats the correct syntax to use when trying to return results where two fields DO NOT match?

Trying the following, but not within any great success;

| where NOT match(field A, field B)

Thanks.

efavreau · ‎01-17-2020

There are lots of ways to solve this. I might go with something like:

| makeresults 
| eval fieldA="12345" 
| eval fieldB="1234" 
| eval DoTheyMatch=case(
    fieldA = fieldB,"TheyMatch",
    1==1, "TheyDoNotMatch"
    ) 
| where DoTheyMatch="TheyDoNotMatch"

To go to the docs, be aware of the following background information:
https://docs.splunk.com/Documentation/Splunk/Latest/Search/NOTexpressions
https://docs.splunk.com/Documentation/Splunk/Latest/SearchReference/ConditionalFunctions

###

If this reply helps you, an upvote would be appreciated.

View solution in original post

acfecondo75 · ‎01-17-2020

| makeresults | eval fieldA=123, fieldB=321 | where fieldA!=fieldB

efavreau · ‎01-17-2020

There are lots of ways to solve this. I might go with something like:

| makeresults 
| eval fieldA="12345" 
| eval fieldB="1234" 
| eval DoTheyMatch=case(
    fieldA = fieldB,"TheyMatch",
    1==1, "TheyDoNotMatch"
    ) 
| where DoTheyMatch="TheyDoNotMatch"

To go to the docs, be aware of the following background information:
https://docs.splunk.com/Documentation/Splunk/Latest/Search/NOTexpressions
https://docs.splunk.com/Documentation/Splunk/Latest/SearchReference/ConditionalFunctions

###

If this reply helps you, an upvote would be appreciated.

starcher · ‎01-17-2020

as mentioned many ways

 | makeresults 
 | eval fieldA="12345" 
 | eval fieldB="1234"
 | where !like(fieldA,fieldB)

jacqu3sy · ‎01-17-2020

Thanks all. Was overthinking things.

adonio · ‎01-17-2020

| where A!=B

Correct way to use NOT match

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services