Solved: Field Comparison Not Working in Basic Search

georgiawebber · ‎03-27-2019

I have two queries:

index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1=var2

and

index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1="avalue"

How is it that the second query returns events, whereas the the first returns none? I would think they are essentially doing the same string comparison on the final line?

Any help would be great 🙂

MuS · ‎03-27-2019

Hi georgiawebber,

the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :

 | where var1 = var2

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎03-27-2019

Hi georgiawebber,

the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :

 | where var1 = var2

Hope this helps ...

cheers, MuS

georgiawebber · ‎03-27-2019

Thanks MuS. I understand that typically 'where' should be used, however am more curious as to why the case I presented does not work. Possibly it is just one of Splunk's many quirks...

MuS · ‎03-27-2019

Exactly for the reasons I told you search will search in the _raw for a string, while where uses eval to compare two values of two fields 😉

georgiawebber · ‎03-27-2019

Aye I understand you now - that makes sense. Thanks!

Field Comparison Not Working in Basic Search

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...