Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

compare values from 2 string fields and identify matches

mrbeck02
Explorer
‎06-08-2017 10:28 AM

We are attempting to compare the string values from 2 different fields, and report on the values which are found in both fields.

Example:
Date,Field1,Field2,Foo,Bar
4.3.17,123456,ffgghh,sfuff,stuff
4.4.17,000000,123456,stuff,stuff

Report: value 123456 is found in field1 and field2

I have been able to build a table to show the values of the fields and visually find the matches, I need to be able to do this over large periods of time, and then build alerts when there is a value in Field1 which appears in Field2.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-08-2017 11:22 AM 
 your search that returns | table Date,Field1,Field2,Foo,Bar
| eval fan=mvappend("A","B")
| mvexpand fan
| eval matchfield=if(fan="A",Field1,Field2)
| stats dc(fan) as matchcount, values(*) as * by matchfield
| where matchcount> 1
| table matchfield

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎06-08-2017 11:22 AM 
 your search that returns | table Date,Field1,Field2,Foo,Bar
| eval fan=mvappend("A","B")
| mvexpand fan
| eval matchfield=if(fan="A",Field1,Field2)
| stats dc(fan) as matchcount, values(*) as * by matchfield
| where matchcount> 1
| table matchfield
Reply
Solved! Jump to solution

mrbeck02
Explorer
‎06-08-2017 01:32 PM

Thank you,

I made a few modifications, but this is working. Much appreciated.

...
1. table Field1,Field2,matchfield,stuff,stuff
2. sort - matchcount

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-09-2017 07:22 AM

Yep, I thought about deleting line 7 or adding wording at the end, but your wording "Report: value 123456 is found in field1 and field2" didn't seem to require feeding out the foos and bars.

There is a more complicated coding strategy, if you need to know which values came from which record, where after the fan you concatenate everything into a single field, with a different name for A or B, table just the matchfield and those two fields, then stats them, then use a rex to put them back into a bunch of separate fields again.

Didn't figure you needed that one, but now that you've seen the basic method, you can get there if you want.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...