Solved: Re: Comparing two string values

pmccomb · ‎01-14-2014

I have email address' that are used as user names in two different source types in two different indices. I am trying to compare the two in order to find a list of matches and also the list of ones that do not match for each. I am doing something like this:

index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" Userid=email | table Userid, email
(I just want to output matching fields with this search)

There are a lot of matches between the Userid and email -> I have run individual searches on each and compared the results. However, I receive no matches. Is there possibly an issue with the format of the strings or are there any time comparisons going on that may throw it off?

somesoni2 · ‎01-14-2014

Try this

Common values

|set intersect [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]

Difference

|set diff [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]

View solution in original post

somesoni2 · ‎01-14-2014

Try this

Common values

|set intersect [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]

Difference

|set diff [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]

vranjith009 · ‎11-18-2015

My requirement was also same like this, but its not working. I have two files like this.
Name

abc
def
ghi

Name0
xyz
abc
ghi

I am expecting common values which are present on both files and difference values.
Eval / if - queries are not working due to values are misplaced in files. I was trying with below query for common values

But its not giving any outputs tried by adding fields also, no luck. can any one help me on this.

pmccomb · ‎01-15-2014

This did it.. thank you! That was really helpful.

lukejadamec · ‎01-14-2014

Where do you learn this stuff?

HiroshiSatoh · ‎01-14-2014

This part is wrong?
「Userid=email」

For example if it is?

index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" | stats values(sourcetype) by Userid, email

Userid, email,values(sourcetype)
001,a@a,SessionCount Identity
002,b@a,SessionCount
003,c@a,Identity

pmccomb · ‎01-15-2014

Not sure I see anywhere that this is matching the email/Userid values.

asimagu · ‎01-14-2014

your logic to compare is wrong, with Userid=email you are telling Splunk to look for events with the value "email" in the field Userid

I take Userid is a field and then email is another field, right?

If that's the case you would need something like this:

index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" | table Userid email | where Userid=email

pmccomb · ‎01-15-2014

This one seemed like it would work but the table did not return any results. Splunk said it found matching events... but the table returned noting and complained that there was some kind of issue with "| table Userid email | where Userid=email"

Comparing two string values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation