Solved: Why comparision not working when field is having v...

ma_anand1984 · ‎12-18-2012

fieldA is the extracted field already available
fieldB is eval field

| eval fieldB=*

| where fieldA=fieldB

Here im trying to match all values of fieldA. above command is not working

where as if i give
| eval fieldB=test

| where fieldA=fieldB
then it matches fieldA with value test

Im trying to do something complex , this is the part where i am stuck

martin_mueller · ‎12-18-2012

The eval command treats the asterisk character as multiplication.

If your task is complex I recommend regular expressions, for example to match everything:

... | eval fieldB=".*" | where match(fieldA, fieldB)

To match "test":

... | eval fieldB="^test$" | where match(fieldA, fieldB)

martin_mueller · ‎12-18-2012

The eval command treats the asterisk character as multiplication.

If your task is complex I recommend regular expressions, for example to match everything:

... | eval fieldB=".*" | where match(fieldA, fieldB)

To match "test":

... | eval fieldB="^test$" | where match(fieldA, fieldB)

Ayn · ‎12-18-2012

Just as an FYI, you don't need to call format at the end of a subsearch, because it will be called implicitly anyway.

ma_anand1984 · ‎12-18-2012

I prefer using your way. its faster 🙂

ma_anand1984 · ‎12-18-2012

thank you for the tip. I actually wrote a subsearch to achieve it !!!!

[search |stats count |eval fieldA= if("APP"=="APP","*","test") | fields fieldA| format]

Why comparision not working when field is having value "*"