Splunk Search

Eval Comparision shows no matches despite both fields having same values

neerajs_81
Builder

Hi All, 
I need to filter my search based on the condition if the values of 2 fields are equal or not.  The 2 fields in question are actor.alernateID  and src_user_email and both fields are visible in the same event.

For example:  Raw data shows value of actor.alternateID is   anand.pandey@company.com

 

neerajs_81_0-1648619765791.png

Likewise, Raw data shows value or src_user_email is also same:  anand.pandey@company.com

neerajs_81_1-1648619923583.png

If i run the following search,  the value of the field match  comes out to be "No match" .  Why is eval showing them to be not a match if both field values are the same ? 

 

 

index=xxx sourcetype=xxxx 
....
| eval match=if(actor.alternateId=src_user_email,"Match","No Match")

 

 

 

neerajs_81_3-1648620163158.png

Likewise, instead  if i  use the where condition instead of eval  ,  this shows NO results to display;   meaning  even the where clause thinks both fields are different .  

 

 

|where src_user_email = actor.alternateID

 

 

The same is happening for other email IDs and other fields even though their values are same.

What am i doing wrong here? How to compare fields then?  Both are strings.

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @neerajs_81,

I suppose that you already checked if there's a space at the beginning or the eand of both values.

Anyway, please rename the field with dot and try again:

index=xxx sourcetype=xxxx 
....
| rename actor.alternateId AS alternateId
| eval match=if(alternateId=src_user_email,"Match","No Match")

sometimes dot gives problem in eval command.

Ciao.,

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @neerajs_81,

I suppose that you already checked if there's a space at the beginning or the eand of both values.

Anyway, please rename the field with dot and try again:

index=xxx sourcetype=xxxx 
....
| rename actor.alternateId AS alternateId
| eval match=if(alternateId=src_user_email,"Match","No Match")

sometimes dot gives problem in eval command.

Ciao.,

Giuseppe

neerajs_81
Builder

Holly Molly 🙂  Just when i was going thru your other post , you replied to my question.
https://community.splunk.com/t5/Splunk-Search/comparing-fields-to-find-identical-values/m-p/533089 

Thank you so much that worked.  😀  

Now is the . dot in the field name  an issue with  |search  and |where  clause  also ?  Because i did try comparing using both search and where  in additional to eval  as you mentioned in the other post and both didn't work.  Do i need to rename the field if comparing via  |search and |where as well ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @neerajs_81,

I'm not sure about all the situations where dot gives problem, I'm sure about eval!

But anyway, I always rename eventual fields with dot or parenthesis or spaces or other strange chars.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...