I'm trying something like this:
my base search | where data.value1 == data.value2
my base search | where data.value1 != data.value2
I've tried variations of match = case as well.
A single event has the two fields I want to compare.
Hi @doesntmatter,
let me understand: data.value1 and data.value2 are two different fields of the same event?
if yes, you could run something like this:
my_base_search
| rename data.value1 AS value1 data.value2 AS value2
| eval condition=if(value1=value2,"Equal","Different")
| ...the first rename is useful because, sometimes the dot in the fieldname gives problems.
In few words, in this way you create a condition (the eval command) to define if the values are equal or different.
If instead the two values aren't in the same event but arrive from a grouping command (e.g. stats), you could use the same approach after the grouping command.
Ciao.
Giuseppe