Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Comparing two string values
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmccomb
Explorer
01-14-2014
03:38 PM
I have email address' that are used as user names in two different source types in two different indices. I am trying to compare the two in order to find a list of matches and also the list of ones that do not match for each. I am doing something like this:
index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" Userid=email | table Userid, email
(I just want to output matching fields with this search)
There are a lot of matches between the Userid and email -> I have run individual searches on each and compared the results. However, I receive no matches. Is there possibly an issue with the format of the strings or are there any time comparisons going on that may throw it off?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-14-2014
05:07 PM
Try this
Common values
|set intersect [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]
Difference
|set diff [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-14-2014
05:07 PM
Try this
Common values
|set intersect [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]
Difference
|set diff [search index="index1" sourcetype="SessionCount" | stats count by Userid | fields - count ] [search index ="main" sourcetype="Identity" | stats count by email | rename email as UserId | fields - count]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vranjith009
New Member
11-18-2015
05:54 AM
My requirement was also same like this, but its not working. I have two files like this.
Name
abc
def
ghi
Name0
xyz
abc
ghi
I am expecting common values which are present on both files and difference values.
Eval / if - queries are not working due to values are misplaced in files. I was trying with below query for common values
|set intersect [|inputcsv scc.csv |stats values(Name) as sccm] [|inputcsv lan.csv | stats values(Name0) as Lan]
But its not giving any outputs tried by adding fields also, no luck. can any one help me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmccomb
Explorer
01-15-2014
11:37 AM
This did it.. thank you! That was really helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lukejadamec
Super Champion
01-14-2014
05:14 PM
Where do you learn this stuff?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
01-14-2014
04:14 PM
This part is wrong?
「Userid=email」
For example if it is?
index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" | stats values(sourcetype) by Userid, email
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmccomb
Explorer
01-15-2014
11:41 AM
Not sure I see anywhere that this is matching the email/Userid values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
asimagu
Builder
01-14-2014
03:55 PM
your logic to compare is wrong, with Userid=email you are telling Splunk to look for events with the value "email" in the field Userid
I take Userid is a field and then email is another field, right?
If that's the case you would need something like this:
index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" | table Userid email | where Userid=email
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmccomb
Explorer
01-15-2014
11:40 AM
This one seemed like it would work but the table did not return any results. Splunk said it found matching events... but the table returned noting and complained that there was some kind of issue with "| table Userid email | where Userid=email"
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
