Below is the usual Splunk Search line in addressVal is not equal to outAddressVal.
I tried below Search but it did not help
index= * addressVal outAddressVal| where (rtrim(ltrim('addressVal ')) != rtrim(ltrim('outAddressVal')))
Content line is like below
addressVal = WV ,outAddressVal= RA
addressVal = CA,outAddressVal= RA
addressVal = WV ,outAddressVal= RA
addressVal = WV ,outAddressVal= RA
I think the confusion comes from how field name is constructed during extraction; specifically, the first field name is most likely 'addressVal', not 'addressVal '. Therefore,
index= * addressVal outAddressVal| where (rtrim(ltrim('addressVal')) != rtrim(ltrim('outAddressVal')))
should work for your data.
Meanwhile, Splunk's key-value extraction ignores spaces surrounding equal sign ("="), as well as trailing blanks after the last consecutive non-space character in value. (Unless you use custom extraction algorithms.) This means that the values probably do not contain spaces, either. In other words,
index= * addressVal outAddressVal
| where 'addressVal' != 'outAddressVal'
may suffice. But if you feel necessary to both ltrim() and rtrim(), @isoutamo's suggestion of trim() would be a better choice.
Thank you for your response. Yes - both the fields shows in the list of interested fields on left bottom side of splunk search
And you're sure your field names are properly cased?
Hi
It those field are from you events and you want to compare content of them (removing spaces and tab) then you can do it like this
| where trim(addressVal) != trim(outAddressVal)
If there are no spaces or tabs inside outer letters like " asdsda ". But if there are those inside string then you need to use your original without those ' over your fieldnames. If you are using it like 'addressVal ' then the fieldname is 'addressVal ' not 'addressVal'.
r. Ismo
Are your fields addressVal and outAddressVal getting parsed out from the event? If they aren't your "where" won't work because you don't have anything to compare.