Splunk Enterprise Security

Help required on comparing two field values?

New Member

Hi Team,

I got two field values:


Now i want to compare these two values either with search command or where command where my expected results is, I dont want output because field1 which contains xyz.com; is present in field2 also.

But If "field1=abc.com;" and "field2=xyz.com" where abc.com; is not equals to xyz.com then only I should get output.

Note: Need to ignore semicolon (;) and comparison should be case insensitive.

I tried with "where field1!=field2" and "field1=.field2." but not working

Thanks in advance.

0 Karma


It'll be better if you extract interested values from field1 and field2 using rex and then compare.

| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain

Sample query:

| makeresults 
| eval field1="abc.com;", field2="abc.xyz.com " 
| rex field=field1 "(?<field1_domain>\w+.\w+)\W?$" 
| rex field=field2 "(?<field2_domain>\w+.\w+)\W?$" 
| where field1_domain != field2_domain
0 Karma

Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! &#x1f308; In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...