Solved: Re: how to compare different field value and list ...

fatboy3388 · ‎09-05-2018

Hi,
All i want to do is just find out email event which the (sender_email _address) is different with the (return_address) from the exchange log, could someone please help? thx

my search is :
index=msexchange | where in(sender_email_address, "") != in(return_address, "")

thx
Vincent

renjith_nair · ‎09-05-2018

@fatboy3388,

Does this work for you ?

index=msexchange | eval isDiff=if(sender_email_address==return_address,0,1)|where isDiff=1

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎09-05-2018

@fatboy3388,

Does this work for you ?

index=msexchange | eval isDiff=if(sender_email_address==return_address,0,1)|where isDiff=1

---
What goes around comes around. If it helps, hit it with Karma 🙂

fatboy3388 · ‎09-06-2018

thx ... with the command above , the returned return is .. is there any way to ignore the difference between upper and lowercase letter? thx

result:
sender_email return_address
abc@test.com ABC@test.com

renjith_nair · ‎09-06-2018

yes you could do lower or upper and compare

for eg.

index=msexchange | eval isDiff=if(lower(sender_email_address)==lower(return_address),0,1)|where isDiff=1

---
What goes around comes around. If it helps, hit it with Karma 🙂

fatboy3388 · ‎09-06-2018

thanks for the help!! well appreciated !

renjith_nair · ‎09-09-2018

@fatboy3388, Glad that it worked 🙂 . You could upvote also if the solution satisfies your requirement, so that others could also use

---
What goes around comes around. If it helps, hit it with Karma 🙂

how to compare different field value and list out the result?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio