I have used the below query to create one table:
index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2
| rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt"
| rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt"
| rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)" | chart latest(Label) by EAR_Name,host
My current table is,
EAR_Name host1 host2
mobile.ear sg.mobile-12 sg.mobile-10
google.ear hk.google-45 hk.google-45
facebook.ear th.fb-37 th.fb-37
here..sg.mobile-12, hk.google-45 values of Label..
My requirement is to compare(row-wise) each value of host1 column with host2 column..and produce the output like "Matching","Not Matching"...like below:
EAR_Name host1 host2 Result
mobile.ear sg.mobile-12 sg.mobile-10 Not Matching
google.ear hk.google-45 hk.google-45 Matching
facebook.ear th.fb-37 th.fb-37 Matching
Hi,
this will do it:
| eval Result=if(host1==host2,"Matching", "Not Matching")
Hi @georgear7 ,
Have you found solution for this scenario? If so, Kindly share it.
Hi @skakehi_splunk, Can you help me here for this query ?
@georgear7 Looks like @rnowitzki 's answer is the solution.
Did you try to add the solution to end of the line? (like this)
If it doesn't work, let me know your SPL and sample results of Not Matching.
index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2
| rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt"
| rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt"
| rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)"
| chart latest(Label) by EAR_Name,host
| eval Result=if(host1==host2,"Matching", "Not Matching")
Just to be sure, check the result of the rex command on the third line you posted in your question.
My concern is that the regular expression "versionInfo*.txt" is probably does not match filename such as "versionInfo20200611.txt". In this case, like "versionInfo.*.txt" or "versionInfo\d+.txt" works.
If the regular expression works correctly and extracts the information you want, you are good to go.
Thanks both @skakehi_splunk @rnowitzki ..My actual server name is something like below.
host-03u, host-04u..So when i used eval command, i forgot to put single quote in server name. So i didn't get the expected result.
Now after giving single quote in server name, it's working fine.
Thanks @skakehi_splunk once again for your reply here..
Hi,
this will do it:
| eval Result=if(host1==host2,"Matching", "Not Matching")
@rnowitzki it's not working as expected. I got Result as "Non Matching" for all the rows even though identical values present for host1=host2.