Splunk Search

How to compare 2 columns of a table when we use 'chart' command ?

georgear7
Communicator

I have used the below query to create one table:

index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2
| rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt"
| rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt"
| rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)" | chart latest(Label) by EAR_Name,host

My current table is,

EAR_Name       host1            host2
mobile.ear  sg.mobile-12   sg.mobile-10
google.ear  hk.google-45   hk.google-45
facebook.ear  th.fb-37           th.fb-37

here..sg.mobile-12, hk.google-45 values of Label..

My requirement is to compare(row-wise) each value of host1 column with host2 column..and produce the output like "Matching","Not Matching"...like below:

EAR_Name             host1             host2             Result
mobile.ear        sg.mobile-12 sg.mobile-10 Not Matching
google.ear         hk.google-45 hk.google-45 Matching
facebook.ear     th.fb-37            th.fb-37         Matching

Labels (1)
0 Karma
1 Solution

rnowitzki
Builder

Hi,

this will do it:

| eval Result=if(host1==host2,"Matching", "Not Matching")
--
Karma and/or Solution tagging appreciated.

View solution in original post

Ashwini_5
Explorer

Hi @georgear7 , 

Have you found solution for this scenario? If so, Kindly share it.  

0 Karma

georgear7
Communicator

Hi @skakehi_splunk, Can you help me here for this query ?

 

0 Karma

skakehi_splunk
Splunk Employee
Splunk Employee

@georgear7  Looks like @rnowitzki 's answer is the solution.

Did you try to add the solution to end of the line? (like this) 
If it doesn't work, let me know your SPL and sample results of Not Matching.

index=abc sourcetype=xyz source=*.txt host=host1 OR host=host2
| rex field=source "/abcdef(?<EAR_Name>\w+.*ear)/versionInfo.txt"
| rex field=source "/xyzpqrs(?<EAR_Name>\w+.*ear)/versionInfo*.txt"
| rex field=_raw "deployTag=\d+\@\w+.*@(?<Label>\w+.*)"
| chart latest(Label) by EAR_Name,host
| eval Result=if(host1==host2,"Matching", "Not Matching")

 
Just to be sure, check the result of the rex command on the third line you posted in your question. 
My concern is that the regular expression "versionInfo*.txt" is probably does not match filename such as "versionInfo20200611.txt".  In this case, like "versionInfo.*.txt" or "versionInfo\d+.txt" works.
If the regular expression works correctly and extracts the information you want, you are good to go.

georgear7
Communicator

Thanks both @skakehi_splunk @rnowitzki ..My actual server name is something like below.

host-03u, host-04u..So when i used eval command, i forgot to put single quote in server name. So i didn't get the expected result.

Now after giving single quote in server name, it's working fine.

Thanks @skakehi_splunk once again for your reply here..

rnowitzki
Builder

Hi,

this will do it:

| eval Result=if(host1==host2,"Matching", "Not Matching")
--
Karma and/or Solution tagging appreciated.

georgear7
Communicator

@rnowitzki it's not working as expected. I got Result as "Non Matching" for all the rows even though identical values present for host1=host2.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...