Splunk Enterprise Security

Help required on comparing two field values?

New Member

Hi Team,

I got two field values:


Now i want to compare these two values either with search command or where command where my expected results is, I dont want output because field1 which contains xyz.com; is present in field2 also.

But If "field1=abc.com;" and "field2=xyz.com" where abc.com; is not equals to xyz.com then only I should get output.

Note: Need to ignore semicolon (;) and comparison should be case insensitive.

I tried with "where field1!=field2" and "field1=.field2." but not working

Thanks in advance.

0 Karma


It'll be better if you extract interested values from field1 and field2 using rex and then compare.

| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain

Sample query:

| makeresults 
| eval field1="abc.com;", field2="abc.xyz.com " 
| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain
0 Karma

Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...