- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to compare 2 field values and exclude matc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to compare 2 field values and exclude matching results from the final output / count
Below is my search output for the SPL i am running.
`
db_1
oracle_test
db2_bio
oracle_890
n88888
n7777
server_2
n87896
bg8768
j987653
n88888
n7777
How do i exclude the field records which are identical between 2 fields like in this case -- (n88888 & n7777)
I tried using there where clause /Search , but without any success ..
SPL used to display fields records which are not identical ---
|splunk command | where db_1 != server_2 ( Not wokring )
|splunk Command | fields db_1,server_2 | search db_1 !=server_2 ( Not working )
Any clue/help will be appreciated ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's field name, n88888 & n7777?
and
oracle_test db2_bio oracle_890 n88888 n7777
n87896 bg8768 j987653 n88888 n7777
your result is this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field names are -- source1.db_1 & source1.server_2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes ..correct .. i want to exclude the matching records from both fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
db_1:
source1.db_1 n88888
source1.server_2 n7777
server_2:
source1.db_1 n88888
source1.server_2 n7777
this 2 results is exclude. right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes want to exclude those 2 values in the final output
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok , I was able to resolve using a single quote around the field name along with a where clause.
|splunk command | where 'db_1'!='server_2'
Found the below input in the splunk documentation which helped ..
https://docs.splunk.com/Documentation/SplunkInvestigate/Current/SearchReference/WhereCommandOverview
where 'host-name'="buttercup" If the expression references a field name that contains characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character, the field name must be surrounded by single quotation marks.
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what's your query?
server and db is another
host?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
