Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search by comparing two String attributes that are unequal?

akhil11
Loves-to-Learn
‎02-16-2022 01:44 PM

Below is the usual Splunk Search line in addressVal is not equal to outAddressVal.

I tried below Search but it did not help

index= *  addressVal outAddressVal| where (rtrim(ltrim('addressVal ')) != rtrim(ltrim('outAddressVal')))

Content line is like below

addressVal = WV ,outAddressVal= RA

addressVal = CA,outAddressVal= RA

addressVal = WV ,outAddressVal= RA

addressVal = WV ,outAddressVal= RA
Labels (4)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-21-2022 01:08 PM

I think the confusion comes from how field name is constructed during extraction; specifically, the first field name is most likely 'addressVal', not 'addressVal '.  Therefore,

index= *  addressVal outAddressVal| where (rtrim(ltrim('addressVal')) != rtrim(ltrim('outAddressVal')))

should work for your data. 

Meanwhile, Splunk's key-value extraction ignores spaces surrounding equal sign ("="), as well as trailing blanks after the last consecutive non-space character in value.  (Unless you use custom extraction algorithms.)  This means that the values probably do not contain spaces, either.  In other words,

index= *  addressVal outAddressVal
| where 'addressVal' != 'outAddressVal'

may suffice.  But if you feel necessary to both ltrim() and rtrim(), @isoutamo's suggestion of trim() would be a better choice.

0 Karma
Reply

akhil11
Loves-to-Learn
‎02-16-2022 01:59 PM

Thank you for your response. Yes - both the fields shows in the list of interested fields on left bottom side of splunk search

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-17-2022 12:43 AM

And you're sure your field names are properly cased?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-17-2022 04:24 AM

Hi

It those field are from you events and you want to compare content of them (removing spaces and tab) then you can do it like this

| where trim(addressVal) != trim(outAddressVal)

If there are no spaces or tabs inside outer letters like " asdsda ". But if there are those inside string then you need to use your original without those ' over your fieldnames. If you are using it like 'addressVal ' then the fieldname  is 'addressVal ' not 'addressVal'.

r. Ismo

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-16-2022 01:53 PM

Are your fields addressVal and outAddressVal getting parsed out from the event? If they aren't your "where" won't work because you don't have anything to compare.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...