Solved: How to compare two fields with every value?

username13 · ‎09-03-2021

Hi guys. I'm completly new to Splunk. Sorry if my question seems kinda stupid 🙂

I have some log-data including a GUID. Those are separated in two kinds: "error" and "times". Sometimes, an error-log has the same GUID as a times-log. I need to count those double GUIDs, for that reason I have to extract the GUIDs from their original field und compare them with each other.

I managed to extract them with Regex into two new fields. But now I'm searching for an opportunity to compare every error-GUID with every times-GUID.

Thanks for your help! 🙂

richgalloway · ‎09-03-2021

Are the two GUIDs in the same event or different events? If so, a simple where command should find the duplicates.

... | where errorGUID = timesGUID

If they're in different events, then we'll need to create a common field so the stats command can group events. Then keep only the results where two events have the same GUID.

... | eval GUID=coalesce(errorGUID, timesGUID)
| stats count, values(*) as * by GUID
| where count=2

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-03-2021

Are the two GUIDs in the same event or different events? If so, a simple where command should find the duplicates.

... | where errorGUID = timesGUID

If they're in different events, then we'll need to create a common field so the stats command can group events. Then keep only the results where two events have the same GUID.

... | eval GUID=coalesce(errorGUID, timesGUID)
| stats count, values(*) as * by GUID
| where count=2

---
If this reply helps you, Karma would be appreciated.

username13 · ‎09-06-2021

It worked. Thank you so much!

How to compare two fields with every value?

count

fields

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...