How to compare two fields from two different index...

rohitnaz007 · ‎12-07-2020

I am running 2 different Index and have to compare each value in field 1 from 1st index with the values in field2 from index 2 . & also regex is used for other field value. The display result should show a match or a Non Match against each value.

Given Data:

(index=cmi cef_vendor="Imperva Inc." cef_product="WAF" dvc="10.124.1.202" act="None" cs2="*" deviceSeverity=High) OR (index=case_management DeviceProduct=WAF fname IN ("*CMI - WAF*"))

| rex field=fname "(-)(?(\s)(PROD|SFR)+(\s))(-)(?(\s)[\w]+(\s)[\w]+(\s))(?(\d)+(\s))(-)"

| eval m=coalesce(cn1,alert)

| stats values(cn1) as cn1 values(alert) as alert by m

| table cn1 alert m

Results should be something like this table:

cn1 alert m

453626 453626 Match

453624 453626 No Match

@elrich11

richgalloway · ‎12-07-2020

What results do you get from that query? How do those results differ from the desired results?

The coalesce function does not compare fields. Use if to do that.

| eval m = if(cn1==alert, "Match", "No Match")

---
If this reply helps you, Karma would be appreciated.

rohitnaz007 · ‎12-07-2020

Reply got from that query as below,

cn1	alert	m
	4361101	4361101
4361645		4361645
	4361645	4361645
4361738		4361738

& as per your solution,

| eval m = if(cn1==alert, "Match", "No Match")

gives result as below,

cn1	alert	m
4369221		No Match
	4369135	No Match
	4369135	No Match
4369418		No Match

@richgalloway @elrich11

want to Expected result Like this,

cn1	alert	m
4369221	4369221	Match
4369222	4369135	No Match
4369243	4369135	No Match
4369418		No Match

How to compare two fields from two different index and display results with match or No-match?

eval

fields

stats

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?