!= in splunk

mithragangothri · ‎11-19-2016

i have two fields uderid and serial number. i need to find all the machines whose userid is not equal to serial number. how to do that . i tried with != operator ,NOT operator and all,nothong worked.please help

mithragangothri · ‎11-20-2016

HI All,
thanks for your promt response. i tried all these possibility and no luck .
i will explain more elaboratively .

I need to know List of "outletID" where two field do NOT have same Value.
The two fields being UserName , Serialnumber from known index and source type .

i tried just like

index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where NOT UserName=serialNumber| table UserName OutletID

Also when i put |table username,outletid serialnumber it shows only username and outletid(only the 1st two fields).Why is this so?

SierraX · ‎11-21-2016

 index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where NOT UserName=serialNumber| table UserName OutletID serialNumber

Keys are always Case sensitive - Values are not Case sensitive by default, Field-names are Keys

When you are starting to develop a search:
Do first the search (without a where and table) to make sure you got Events
Then add your where modifier and see you have not as many events like before
Then add your table modifier and change from clever search mode to verbose search mode
When Fields in a Table are empty , means in general the Field is empty (with a "") or does not exist (with a NULL)... you have to take a look to the events to figure out

Without the events nobody here can say where your problems are. Especially when you are always change the case of keys in your descriptions of your problem.

dbcase · ‎11-21-2016

Try this

index=aw_dispenser sourcetype=EnrolledDevices UserName!="SYSTEM" | where UserName!=serialNumber| table UserName OutletID

martin_mueller · ‎11-20-2016

I wouldn't recommend match() because it expects a regular expression as its second argument. Depending on your serialnumber values that can get very ugly.
Instead, use != or NOT if you want "not equals": | where userid != serialnumber or | where NOT userid = serialnumber
Be aware this is a case sensitive comparison.

In the search command - especially before the first pipe -, userid != serialnumber treats serialnumber as "serialnumber" - you're looking for nonequality to a string. I'd say it's an early design decision in SPL to make searching for strings easier, at the cost of making comparing two fields with each other harder.

martin_mueller · ‎11-22-2016

The docs now explicitly mention how to compare fields: http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Search#Comparing_two_fields

Richfez · ‎11-20-2016

Try the match operator for eval/where.

You don't provide any events or your search, so I'm just guessing, but ...

... Your base search ... | where not match(userid,serialnumber)

This gets wonky if you have spaces in either field name, but if you can edit the question (or add a comment) with more information I'm sure we can get this sorted out for you.

Items to add that would help us help you? One or two of the searches you tried (that gives us context), perhaps a couple of events (which gives us data patterns). Be sure to use the code button to format each one!

Happy Splunking,
Rich

SierraX · ‎11-20-2016

 {Base search} | eval eq=if(userid=snr, 1,2) | search eq=2

SierraX · ‎11-20-2016

A search at splunk can't compare values from one key to another.
Not sure other BigData tools can do that directly at the search.
Anyway... the search was written very quick and the eval can also used as automatic generated field when needed. When you have it in a auto generated field... you can also filter it in your Base search

!= in splunk

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...