Splunk Search

I need to compare two results based on one part of a field ( and not the entire field )

USER78
New Member

I have search A which gives out results like field A, field B , field C, where field C is a combination of two halves like part 1.part2.

Now, I want to compare/combine the results of this search with another search that gives out columns like field D , field E, field C ( here field C contains only part 2 and does not have part 1 ).
My question is :

  1. How do I compare/combine results of search 1 with results of search 2 to see events that have part 2 of field C matching/same.
Tags (1)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

something like this

(your search that gets the first kind of records let's say index="typeone") 
OR

(your search that gets the second kind of records let's say index="typetwo")

| fields index ...fieldA fieldB fieldC1 fieldD fieldE fieldC2 (list all the fields you need, including fields to tell which kind of record it is)

(your additional search language that decodes any data needed, including pulling that second half of fieldC1 into some fieldQ) 

| eval matchfield = if(this/is/a/typeone,fieldQ,fieldC2)

(optionally, another fields command here to get rid of anything you no longer need...)

| stats values(*) as * by matchfield
0 Karma

USER78
New Member

I am trying to understand your eval condition here : If I try to read it , does it mean eval field name "matchfield" will get value fieldQ if the if condition is true else will it get field C2 ?

What I need to see is the results only that have fieldQ==field C2. so is the above eval command right ?

eval matchfield = if ( fieldQ==Field C2 , field Q , fieldC2 )

Is this right ?

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...