Solved: Field Comparison Not Working in Basic Search

georgiawebber · ‎03-27-2019

I have two queries:

index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1=var2

and

index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1="avalue"

How is it that the second query returns events, whereas the the first returns none? I would think they are essentially doing the same string comparison on the final line?

Any help would be great 🙂

MuS · ‎03-27-2019

Hi georgiawebber,

the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :

 | where var1 = var2

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎03-27-2019

Hi georgiawebber,

the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :

 | where var1 = var2

Hope this helps ...

cheers, MuS

georgiawebber · ‎03-27-2019

Thanks MuS. I understand that typically 'where' should be used, however am more curious as to why the case I presented does not work. Possibly it is just one of Splunk's many quirks...

MuS · ‎03-27-2019

Exactly for the reasons I told you search will search in the _raw for a string, while where uses eval to compare two values of two fields 😉

georgiawebber · ‎03-27-2019

Aye I understand you now - that makes sense. Thanks!

Field Comparison Not Working in Basic Search

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform