Compare 2 fields

mcafeesecure · ‎06-28-2010

Basically I have a line of data that looks like this:

Jun 28 14:15:10 sc4-app04.mcafeesecure.com portal: ACCESS Click Referrer[bluecigs.com][http://www.blucigs.com/privacy-policy]

I have rex set up to extract two parts of this:

rex "(?i) Referrer\\[(?P<REF1>[^\\]]*)(?=\\])" | rex "(?i)www\.(?P<REF2>[^/]*)(?=/)"

This will basically give me 2 fields I can search on REF1 and REF2.

I would like only messages that do NOT have those two fields matching to show up for instance, in the previous entry I get

REF1=bluecigs.com
REF2=bluecigs.com

the following line I would have them NOT matching:

Jun 28 14:15:10 sc4-app04.mcafeesecure.com portal: ACCESS Click Referrer[bluecigs.com][http://www.SOMEOTHERDOMAIN.com/]

IE: REF1=bluecigs.com
REF2=SOMEOTHERDOMAIN.com

Is there a way to compare the fields?

ziegfried · ‎06-29-2010

You can do this by using the where command:

<your search> | where REF1!=REF2

bfaber · ‎06-28-2010

I would imagine you could add this to the end of your search

| search NOT REF1=REF2

but that may also give you events where REF1 and REF2 don't exist.

Try it out and let us know!

ziegfried · ‎06-29-2010

This won't work. It would compare the value of the field REF1 with the value "REF2" (ie. not the value of field REF2).

Are you a member of the Splunk Community?