Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare Field Values of Two Different Fields from Two Lookups?

atebysandwich
Path Finder
‎06-06-2023 08:53 AM 
|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth.1

Some of the field values in each version of Host_Auth match and some don't. How can I find the events that do not match?

I've tried where Host_Auth != Host_Auth.1 and eval but nothing works

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-06-2023 09:52 AM

Let me take a guess: you can do yourself a favor by not naming fields with special characters.

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth_1
| where Host_Auth != Host_Auth_1

When field name contains special characters, you need to use single quotes in order to dereference their values, like

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth.1
| where Host_Auth != 'Host_Auth.1'

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎06-06-2023 09:52 AM

Let me take a guess: you can do yourself a favor by not naming fields with special characters.

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth_1
| where Host_Auth != Host_Auth_1

When field name contains special characters, you need to use single quotes in order to dereference their values, like

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth.1
| where Host_Auth != 'Host_Auth.1'
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...