I tried to apply this logic as I want to check if the values from con_splunkUL exists within con_UL, but for me it seems its checking for a direct match between both fields rather than checking for a match within the whole data set.

| eval MonitoringStatus = if(like(con_splunkUL,"%".con_UL."%"), "Monitored", "Not Monitored") 

Did you figure this out, i'm having the same issues

I have same type of issue there , I want to look into two tables to match fields value if any match found then ignore if no match found then create separate table too display unique values only which comes out of two tables

Here are my tables, Example: If search pick value (353649273) from table A then it should search for match with all values in table B , not look like only one value corresponding to that field.

OrderNumberFailureA OrderNumberFailureB
353649273 353648649
353649184 353648566
353649091 353616829
353649033 353648649
353648797

353648680

353648745

353648730

353638941

353649331

340568517

353638941

353648361

349156251

353649335

353649091

353649240

353649143

353649160

353649092

353649312

353648984

353649091

353649163

353649240

353649092

353649143

353649095

353649008

353648984

353649008

353648794

353648856

353649273

353648796

353648754

353648620

353648594

353648794

353648649

353648685

353648651

353638941

353648610

353649273

353649241

353649163

353616829

353649163

353648754

353649347

353649335

353648748

353648661

353648649

353648754

353648649

353648649

353648984

353648994

353648802

353649263

353648649

353649347

353649240

353649178

353616829

353649092

353648984

353648754

353648768

353648749

353649387

353648680

353648649

353648566

Did anyone get a chance to look into this as well

Its complicated, still didnt get this quite working..

I tried using foreach loop but that didn't work. If we think about logic then it says we have to pick value from table A and search for each value in next table(B) which logically should be possible using foreach look to iterate through each value.

Also if this is not possible then can you query like to get count of unique values by appending column 2 into column 1 then check for count more than 1.

But in this case we have to dedup column 1 & 2 before we append them to avoid any discrepancy. Waiting for your comments....

Even if we append and dedup the results are still different because they are prefixes... the CIDR command can work for only numerical values being an IP address, but for this instance we are using Hex decimals. So at this stage, it is not possible. We tried using the foreach but because we have 30,000 different prefixes... our subsearches were huge and max out..

can we store both search queries results into two lookup tables instead of creating normal table, after that can we compare for unique values.

Just a ask

Yes I did, I used the below.

| eval MonitoringStatus = if(like(upper(con_UL),"%".upper(con_splunkUL)."%"), "Monitored", "Not Monitored")

Also here is another example I used within the same search

| eval Action=if ((MonitoringStatus="Not Monitored")AND(like(Path,"%Hosting%")),"Action Required","No Action Required")

Regarding this though how would you go about it if you have an index with values...

and you want to check it against a .csv which contains prefixes...

I've currently got a question posted on splunkanswers. https://answers.splunk.com/answers/692085/how-to-match-two-columns-based-on-prefix-numbersle.html#an...

I am using this and it works, but how can I have it ignore the case of the compared contained string.  Make it case insensitive?

thanks very much! I was able to get it working with this.