Re: Help required on comparing two field values?

Ankush_Kumar · ‎04-18-2020

Hi Team,

I got two field values:

field1=xyz.com;
field2=abc.xyz.com

Now i want to compare these two values either with search command or where command where my expected results is, I dont want output because field1 which contains xyz.com; is present in field2 also.

But If "field1=abc.com;" and "field2=xyz.com" where abc.com; is not equals to xyz.com then only I should get output.

Note: Need to ignore semicolon (;) and comparison should be case insensitive.

I tried with "where field1!=field2" and "field1=.field2." but not working

Thanks in advance.

manjunathmeti · ‎04-21-2020

It'll be better if you extract interested values from field1 and field2 using rex and then compare.

| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain

Sample query:

| makeresults 
| eval field1="abc.com;", field2="abc.xyz.com " 
| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain

to4kawa · ‎04-18-2020

use trim() and compare with match() or like()

reference:https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConditionalFunctions#match.28SUB...

Help required on comparing two field values?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann