Solved: help on a text comparison fonction

jip31 · ‎09-26-2019

Hi

I need to compare two fields from the text characters of these two fields
So I need to do something like this
where toto <> tata
The problem I have is the text one field is never exactly the same than in other field
It means that either the fields are really different and in this case I want to display the events nor the fields are almost the same
For example, if I have in one field called "spring" and in the othe field "spring - winter" I want to consider that these fields are the same because there is spring in both
Is there a solution to do this please?

wmyersas · ‎09-26-2019

You might try something like:

| eval toto=upper(toto)
| eval tata=upper(tata)
| where match(toto,'tata') OR match(tata,'toto')

This should do a match() compare between the value of toto and the value of tata (using tata as a regex), and vice versa

Feel free to extrapolate from there how you might like to go

View solution in original post

wmyersas · ‎09-26-2019

You might try something like:

| eval toto=upper(toto)
| eval tata=upper(tata)
| where match(toto,'tata') OR match(tata,'toto')

This should do a match() compare between the value of toto and the value of tata (using tata as a regex), and vice versa

Feel free to extrapolate from there how you might like to go

Anantha123 · ‎09-26-2019

If the values in fields are constant then you may use rex , extract the required values from fields and compare it .

adonio · ‎09-26-2019

to be clear, do you wish to do text comparison to values or to fields?
can you share some sample data?

help on a text comparison fonction

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio