Solved: help on a text comparison fonction

jip31 · ‎09-26-2019

Hi

I need to compare two fields from the text characters of these two fields
So I need to do something like this
where toto <> tata
The problem I have is the text one field is never exactly the same than in other field
It means that either the fields are really different and in this case I want to display the events nor the fields are almost the same
For example, if I have in one field called "spring" and in the othe field "spring - winter" I want to consider that these fields are the same because there is spring in both
Is there a solution to do this please?

wmyersas · ‎09-26-2019

You might try something like:

| eval toto=upper(toto)
| eval tata=upper(tata)
| where match(toto,'tata') OR match(tata,'toto')

This should do a match() compare between the value of toto and the value of tata (using tata as a regex), and vice versa

Feel free to extrapolate from there how you might like to go

View solution in original post

wmyersas · ‎09-26-2019

You might try something like:

| eval toto=upper(toto)
| eval tata=upper(tata)
| where match(toto,'tata') OR match(tata,'toto')

This should do a match() compare between the value of toto and the value of tata (using tata as a regex), and vice versa

Feel free to extrapolate from there how you might like to go

Anantha123 · ‎09-26-2019

If the values in fields are constant then you may use rex , extract the required values from fields and compare it .

adonio · ‎09-26-2019

to be clear, do you wish to do text comparison to values or to fields?
can you share some sample data?

help on a text comparison fonction

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

help on a text comparison fonction

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!