Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval Comparision shows no matches despite both fields having same values

neerajs_81
Builder
‎03-29-2022 11:05 PM

Hi All, 
I need to filter my search based on the condition if the values of 2 fields are equal or not.  The 2 fields in question are actor.alernateID  and src_user_email and both fields are visible in the same event.

For example:  Raw data shows value of actor.alternateID is   anand.pandey@company.com

 

neerajs_81_0-1648619765791.png

Likewise, Raw data shows value or src_user_email is also same:  anand.pandey@company.com

neerajs_81_1-1648619923583.png

If i run the following search,  the value of the field match  comes out to be "No match" .  Why is eval showing them to be not a match if both field values are the same ? 

 

 

index=xxx sourcetype=xxxx 
....
| eval match=if(actor.alternateId=src_user_email,"Match","No Match")

 

 

 

neerajs_81_3-1648620163158.png

Likewise, instead  if i  use the where condition instead of eval  ,  this shows NO results to display;   meaning  even the where clause thinks both fields are different .  

 

 

|where src_user_email = actor.alternateID

 

 

The same is happening for other email IDs and other fields even though their values are same.

What am i doing wrong here? How to compare fields then?  Both are strings.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-29-2022 11:38 PM

Hi @neerajs_81,

I suppose that you already checked if there's a space at the beginning or the eand of both values.

Anyway, please rename the field with dot and try again:

index=xxx sourcetype=xxxx 
....
| rename actor.alternateId AS alternateId
| eval match=if(alternateId=src_user_email,"Match","No Match")

sometimes dot gives problem in eval command.

Ciao.,

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-29-2022 11:38 PM

Hi @neerajs_81,

I suppose that you already checked if there's a space at the beginning or the eand of both values.

Anyway, please rename the field with dot and try again:

index=xxx sourcetype=xxxx 
....
| rename actor.alternateId AS alternateId
| eval match=if(alternateId=src_user_email,"Match","No Match")

sometimes dot gives problem in eval command.

Ciao.,

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎03-29-2022 11:56 PM

Holly Molly 🙂  Just when i was going thru your other post , you replied to my question.
https://community.splunk.com/t5/Splunk-Search/comparing-fields-to-find-identical-values/m-p/533089 

Thank you so much that worked.  😀  

Now is the . dot in the field name  an issue with  |search  and |where  clause  also ?  Because i did try comparing using both search and where  in additional to eval  as you mentioned in the other post and both didn't work.  Do i need to rename the field if comparing via  |search and |where as well ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-30-2022 12:10 AM

Hi @neerajs_81,

I'm not sure about all the situations where dot gives problem, I'm sure about eval!

But anyway, I always rename eventual fields with dot or parenthesis or spaces or other strange chars.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...