How to compare two fields in two different sourcet...

chimbudp · ‎02-11-2014

How to compare two fields in two different sourcetypes ?

eg:

Events from sourcetype 1 : int

Tier OS      version
SIT  MAC        v8 
SIT  Windows  v7    
SIT  CentOS     v2

sourcetype 2 : uat

Tier OS      version   
UAT   MAC        v8 
UAT   Windows  v6    
UAT   CentOS     v2

I used the query :

index=* sourcetype =int|table OS,INTversion|join[search index=* sourcetype=uat|table UATversion]

Output:

Tier | INTversion |UATversion
MAC | v8 | v8
Windows |v7 | v6 
CentOS | v2 |v2

I need a additional column here like Difference between INT & UAT -

Expected Output:

Tier | INTversion |UATversion | Difference
MAC | v8 | v8 | No
Windows |v7 | v6 |Yes
CentOS | v2 |v2 | No

I tried with some diff , match , eval commands - doesn't helped. Please help in this

Ayn · ‎02-11-2014

What did you try that didn't work? I expect something like this should do it:

index=* sourcetype =int|table OS,INTversion|join[search index=* sourcetype=uat|table UATversion] | eval Difference=if(INTversion==UATversion,"No","Yes")

How to compare two fields in two different sourcetypes ?

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to compare two fields in two different sourcetypes ?

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!