Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

compare two field values for equality

EricPartington
Communicator
‎09-26-2012 09:25 AM

I have the output of a firewall config, i want to make sure that our naming standard is consistent with the actual function of the network object.

I have a table of the name of the object and the subnet and mask. I want to compare the name and name-combo fields to see if they are the same, and show only those that are not the same.

example row
cluster name name-combo subnet bits match
1 FW1-2 NET69.90.64.0-20 NET69.90.64.0-20 69.90.64.0 20 No Match
2 FW1-2 NET69.90.63.0-8 NET69.90.63.0-20 69.90.64.0 20 No Match

here is my search

`abc_firewall_rules` eventtype=subnet [search index="abc_rules" eventtype=subnet | dedup cluster | fields + source] 
| dedup name,cluster | eval name-combo="NET".subnet."-".bits 
| eval match=if(name-combo=name,"Match","No Match")
|  table cluster,name,name-combo,subnet,bits,match

row 1 should show match and row 2 should show no match..

have tried using | where NOT name=name-combo
have tried using | where name!=name-combo

all show ro results found but in my sample data there are rows that do not match and should show up..

any ideas ?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-26-2012 03:37 PM

I think I have it figured out - it's a weird one! Field names are supposed to contain letters, numerals or the underscore, and must start with a letter. name-combo violates this rule, but Splunk doesn't complain! The reason why it doesn't work is that in the if statement, Splunk interprets your test as `name - combo = name" - this will never match...

So change name-combo to name_combo and it should work.

View solution in original post

Reply
Solved! Jump to solution

brettcave
Builder
‎01-28-2013 12:27 AM

i have a similar problem. I apply a filter after stats:

stats dc(field1) as someCount dc(someThing) as otherCount by group | search NOT someCount=otherCount

The above search returns all values, regardless of whether they match or not, so assuming its checking where someCount matches a literal of "otherCount". This works:

... | eval countDiff=someCount-otherCount | search NOT countDiff=0

HTH

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎02-08-2013 12:43 PM

Actually Brett, your problem is different.

| search NOT someCount=otherCount

is interpreted as

| search NOT someCount="otherCount"

search always searches for name=value, whether you use the quotes around the value or not. You could make the first search work by using where instead:

... | stats dc(field1) as someCount dc(someThing) as otherCount by group
| where NOT someCount=otherCount

Reply
Solved! Jump to solution

payal4296
Explorer
‎03-12-2021 09:01 AM

what if 1 field  with string "A" is the substring  of flied "B"?
|where B=*A* , 
how can we find out that?


0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎03-13-2021 07:27 AM

Hi @payal4296,

Please try below; checking if field A is a substring of field B...

| eval A="%".A."%"
| where B like A

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-26-2012 03:37 PM

I think I have it figured out - it's a weird one! Field names are supposed to contain letters, numerals or the underscore, and must start with a letter. name-combo violates this rule, but Splunk doesn't complain! The reason why it doesn't work is that in the if statement, Splunk interprets your test as `name - combo = name" - this will never match...

So change name-combo to name_combo and it should work.

Reply
Solved! Jump to solution

EricPartington
Communicator
‎09-26-2012 11:47 AM

well getting somewhere now..

appears that my field name-combo is not a string (thanks for your test command).

so i tried to convert the field to string with
eval name-combo=tostring(name-combo)
however not able to get a "string" output from that

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎09-26-2012 11:45 AM

If your search is working properly, you should have output, regardless of whether things match or not. Does this search return any results? What does the search job inspector say?

`abc_firewall_rules` eventtype=subnet [search index="abc_rules" eventtype=subnet | dedup cluster | fields + source]

I am guessing that this is a problem with your search, not your logic.

0 Karma
Reply
Solved! Jump to solution

EricPartington
Communicator
‎09-26-2012 11:48 AM

the search is fine, i get results from that search, the problem appears to be the concat string isnt coming out as a string to compare with

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎09-26-2012 11:39 AM

I usually do some checks on my fields when this happens using eval to makes sure that i'm comparing what I expect. This should be comparing string to string but make the types are ok "eval test = if( isstr(name)", "String", "Not String" } table test)". Everything looks good as far as i can tell.

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...