Solved: Field Comparison Not Working in Basic Search

georgiawebber · ‎03-27-2019

I have two queries:

index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1=var2

and

index=main
| eval var1="avalue"
| eval var2="avalue"
| search var1="avalue"

How is it that the second query returns events, whereas the the first returns none? I would think they are essentially doing the same string comparison on the final line?

Any help would be great 🙂

MuS · ‎03-27-2019

Hi georgiawebber,

the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :

 | where var1 = var2

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎03-27-2019

Hi georgiawebber,

the second search is searching for the string avalue and returns events that contain the field var1 = "avalue".
the first search should be a where if you want to compare the values of two fields. So like :

 | where var1 = var2

Hope this helps ...

cheers, MuS

georgiawebber · ‎03-27-2019

Thanks MuS. I understand that typically 'where' should be used, however am more curious as to why the case I presented does not work. Possibly it is just one of Splunk's many quirks...

MuS · ‎03-27-2019

Exactly for the reasons I told you search will search in the _raw for a string, while where uses eval to compare two values of two fields 😉

georgiawebber · ‎03-27-2019

Aye I understand you now - that makes sense. Thanks!

Field Comparison Not Working in Basic Search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!