- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to compare between individual values from ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to compare between individual values from two fields having multiple values ?
I have 2 fields from my search, something like this -
Errorcode, ErrorDescription
Err1, "abcd password is missing xyz"
Err1, "1111 password is missing 222"
Err1, "1233455 connection is not working 6789"
Now I have another field called ErrorCategory which has a list of values like -
Password is missing, Connection is not working ,xxxx, yyyy, jjjj...
I want to compare each value of ErrorDescription with Error Category and the end result should look like this -
ErrorCode, ErrorDescription,ErrorCategory
Err1, "abcd password is missing xyz",Password is missing
Err1, "1111 password is missing 222",Password is missing
Err1, "1233455 connection is not working 6789",Connection is not working
Right now, when I am trying to use match and compare, it is comparing the entire ErrorCatgory list with each value of ErrorDescription, so it is not able to match.
How do I achieve the one on one comparison between fields having multiple values ? Does anyone have any idea how to achieve this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a lookup file with content like this:
ErrorDescription, ErrorCategory
*Password is missing*,Password is missing
*Connection is not working*,Connection is not working
...,...
Then create a lookup definition which sets WIDLCARD(ErrorDescription) and Ignore Case.
Then just do a lookup like this:
... | lookup YourLookupDefinitionHere ErrorDescription
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone has any solution to this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want to compare only the textpart of ErrorDescription and ErrorCategory?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, compare only text part, ErrorDescription will be more detailed and ErrorCategory will be a short one
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From where does the ErrorCategory field come? Is it a lookup table OR field in your raw data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 , Yes exactly, the ErrorCategory comes from a lookup file. The lookup has only ErrorCode and ErrorCategory, I need to match the text of the ErrorDescription and assign it to a ErrorCategory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, to give u more details, this is the command i m using -
index=test (Error* OR fault* OR warning* OR fail*) "searchID"|
| lookup mylookup.csv ErrorCode OUTPUTNEW ErrorCategory | eval match=if(like(ErrorDescription,"%".Error_Category."%"),"Yes","No") | table searchID, ErrorCode, ErrorDescription, ErrorCategory, match
But I am not getting any match, i am getting teh below table output-
ErrorCode, ErrorDescription,ErrorCategory,match
Err1, "abcd password is missing xyz",Password is missing,Connection is not working,xxxx,yyyy,jjjj,no
Basically it is trying to compare the entire list of ErrorCategory against the one ErrorDescription.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm are you matching the case properly?
Like("abcd password is missing xyz") is not equal to Like(Password is missing). ErrorCategory starts with an upper case. Have you tried using something like |eval ErrorCategory=LOWER(ErrorCategory)
And then trying out your match eval?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
