Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you compare 2 fields in different indexes to add a third field?

ppiton
New Member
‎12-28-2018 05:28 AM

Hello,

I can't find out how to do a search to compare the same value in 2 fields, and if this is same value, add a third field.

For exemple:
index1 with field1Index1 and field2Index1
index2 with field1Index2

In the search, if field1Index1 = field1Index2 then display field1Index1 and field2Index1
NB: field1Index1 associated to field2Index1in index1

I found different subjects on the forum with eval, if... but not with all that conditions.

Can you help me?

Thank you.

Tags (2)
0 Karma
Reply

saurabhkharkar
Path Finder
‎12-28-2018 06:17 AM

Can you try this ?
This will return results only if field1Index1=field1Index2

| makeresults
| eval field1Index1= 4
| eval field2Index1= 7
| eval field1Index2= 4
| eval field1Index1New =case(field1Index1=field1Index2,field1Index1,field1Index2=field1Index1,field2Index1,1=0,0)
| where field1Index1New!=""
| table field2Index1 field1Index1New

0 Karma
Reply

ppiton
New Member
‎12-28-2018 06:33 AM

Ok but i don't need to set values 4 or 7.
I need to use values of search.
Thank you.

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-28-2018 06:38 AM

yeah, all you have to use is

index=index1 OR index=index2
| eval field1Index1New =case(field1Index1=field1Index2,field1Index1,field1Index2=field1Index1,field2Index1,1=0,0)
| where field1Index1New!=""
| table field2Index1 field1Index1New

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...