I have two queries:
index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1=var2
and
index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1="avalue"
How is it that the second query returns events, whereas the the first returns none? I would think they are essentially doing the same string comparison on the final line?
Any help would be great
Hi georgiawebber,
the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :
| where var1 = var2
Hope this helps ...
cheers, MuS
Hi georgiawebber,
the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :
| where var1 = var2
Hope this helps ...
cheers, MuS
Thanks MuS. I understand that typically 'where' should be used, however am more curious as to why the case I presented does not work. Possibly it is just one of Splunk's many quirks...
Exactly for the reasons I told you search will search in the _raw for a string, while where uses eval to compare two values of two fields
Aye I understand you now - that makes sense. Thanks!