Splunk Enterprise Security

Help required on comparing two field values?

New Member

Hi Team,

I got two field values:


Now i want to compare these two values either with search command or where command where my expected results is, I dont want output because field1 which contains xyz.com; is present in field2 also.

But If "field1=abc.com;" and "field2=xyz.com" where abc.com; is not equals to xyz.com then only I should get output.

Note: Need to ignore semicolon (;) and comparison should be case insensitive.

I tried with "where field1!=field2" and "field1=.field2." but not working

Thanks in advance.

0 Karma


It'll be better if you extract interested values from field1 and field2 using rex and then compare.

| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain

Sample query:

| makeresults 
| eval field1="abc.com;", field2="abc.xyz.com " 
| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain
0 Karma

Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...