Solved: How to compare 2 columns of a table when we use 'c...

georgear7 · ‎06-09-2020

I have used the below query to create one table:

index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2
| rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt"
| rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt"
| rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)" | chart latest(Label) by EAR_Name,host

My current table is,

EAR_Name host1 host2
mobile.ear sg.mobile-12 sg.mobile-10
google.ear hk.google-45 hk.google-45
facebook.ear th.fb-37 th.fb-37

here..sg.mobile-12, hk.google-45 values of Label..

My requirement is to compare(row-wise) each value of host1 column with host2 column..and produce the output like "Matching","Not Matching"...like below:

EAR_Name host1 host2 Result
mobile.ear sg.mobile-12 sg.mobile-10 Not Matching
google.ear hk.google-45 hk.google-45 Matching
facebook.ear th.fb-37 th.fb-37 Matching

rnowitzki · ‎06-10-2020

Hi,

this will do it:

| eval Result=if(host1==host2,"Matching", "Not Matching")

--
Karma and/or Solution tagging appreciated.

View solution in original post

Ashwini_5 · ‎08-15-2021

Hi @georgear7 ,

Have you found solution for this scenario? If so, Kindly share it.

georgear7 · ‎06-11-2020

Hi @skakehi_splunk, Can you help me here for this query ?

skakehi_splunk · ‎06-11-2020

@georgear7 Looks like @rnowitzki 's answer is the solution.

Did you try to add the solution to end of the line? (like this)
If it doesn't work, let me know your SPL and sample results of Not Matching.

index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2
| rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt"
| rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt"
| rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)"
| chart latest(Label) by EAR_Name,host
| eval Result=if(host1==host2,"Matching", "Not Matching")

Just to be sure, check the result of the rex command on the third line you posted in your question.
My concern is that the regular expression "versionInfo*.txt" is probably does not match filename such as "versionInfo20200611.txt". In this case, like "versionInfo.*.txt" or "versionInfo\d+.txt" works.
If the regular expression works correctly and extracts the information you want, you are good to go.

georgear7 · ‎06-11-2020

Thanks both @skakehi_splunk @rnowitzki ..My actual server name is something like below.

host-03u, host-04u..So when i used eval command, i forgot to put single quote in server name. So i didn't get the expected result.

Now after giving single quote in server name, it's working fine.

Thanks @skakehi_splunk once again for your reply here..

rnowitzki · ‎06-10-2020

Hi,

this will do it:

| eval Result=if(host1==host2,"Matching", "Not Matching")

--
Karma and/or Solution tagging appreciated.

georgear7 · ‎06-10-2020

@rnowitzki it's not working as expected. I got Result as "Non Matching" for all the rows even though identical values present for host1=host2.

How to compare 2 columns of a table when we use 'chart' command ?

table

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

How to compare 2 columns of a table when we use 'chart' command ?

table

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...