Solved: how to compare different field value and list out ...

fatboy3388 · ‎09-05-2018

Hi,
All i want to do is just find out email event which the (sender_email _address) is different with the (return_address) from the exchange log, could someone please help? thx

my search is :
index=msexchange | where in(sender_email_address, "") != in(return_address, "")

thx
Vincent

renjith_nair · ‎09-05-2018

@fatboy3388,

Does this work for you ?

index=msexchange | eval isDiff=if(sender_email_address==return_address,0,1)|where isDiff=1

Happy Splunking!

View solution in original post

renjith_nair · ‎09-05-2018

@fatboy3388,

Does this work for you ?

index=msexchange | eval isDiff=if(sender_email_address==return_address,0,1)|where isDiff=1

Happy Splunking!

fatboy3388 · ‎09-06-2018

thx ... with the command above , the returned return is .. is there any way to ignore the difference between upper and lowercase letter? thx

result:
sender_email return_address
abc@test.com ABC@test.com

renjith_nair · ‎09-06-2018

yes you could do lower or upper and compare

for eg.

index=msexchange | eval isDiff=if(lower(sender_email_address)==lower(return_address),0,1)|where isDiff=1

Happy Splunking!

fatboy3388 · ‎09-06-2018

thanks for the help!! well appreciated !

renjith_nair · ‎09-09-2018

@fatboy3388, Glad that it worked 🙂 . You could upvote also if the solution satisfies your requirement, so that others could also use

Happy Splunking!

how to compare different field value and list out the result?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update