Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search comparison not working

randy_moore
Path Finder
‎11-24-2021 07:47 AM

Hi - 
I have some data that looks like this, which ingests into splunk with no issues at all

 

 

 

11/24/2021 08:47:21.321,"category":"transaction","tc"="93","amount_approved":"9.99","amount_requested":"493.95" etc etc etc
11/24/2021 08:45:14.121,"category":"transaction","tc"="93","amount_approved":"5.99","amount_requested":"5.99" etc etc etc
11/24/2021 08:45:14.121,"category":"transaction","tc"="01","amount_approved":"6.99","amount_requested":"6.99" etc etc etc

 

 

 

I want to do a a search to filter out the transactions to only see where the amounts differ

 

 

 

index=ABC sourcetype=XZX category=transaction tc=93 amount_approved!=amount_requested

 

 

 

 That simple search doesn't work.     splunk is not filtering on the amount_approved!=amount_requested comparison.     In the example above I would get both "tc=93" transactions from the sample data , instead of just getting the first one.

If I remove the amount_approved!=amount_requested  from the search and add it to a where clause like this

 

 

index=ABC sourcetype=XZX category=transaction tc=93
|where amount_approved!=amount_requested

 

 

it works fine as I only get 1 event back.
What is wrong with my initial search line?

I would like to not read in all of the transactions before I filter, hence the need to put the comparison on the search line. 

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 08:21 AM

The first query fails because the search command cannot handle a field name on both sides of an expression.  The where command, however, does handle such an expression.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 08:21 AM

The first query fails because the search command cannot handle a field name on both sides of an expression.  The where command, however, does handle such an expression.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

randy_moore
Path Finder
‎11-24-2021 08:54 AM

Thanks @richgalloway    I knew it was something simple that I had forgotten about.   Says exactly that in the search reference guide, here: Search Ref Guide 

Comparing two fields

To compare two fields, do not specify index=myindex fieldA=fieldB or index=myindex fieldA!=fieldB with the search command. When specifying a comparison_expression, the search command expects a <field> compared with a <value>. The search command interprets fieldB as the value, and not as the name of a field.

Use thewherecommand to compare two fields.

Thanks again!

Reply
Solved! Jump to solution

Sum_Var
Engager
‎11-24-2021 11:46 AM

Appreciate the details. Very Helpful!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...