- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: match 2 fields with same value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search and need to match 2 fields and show the match. I tried eval match(field1, field2) and eval results = if(match(field2,field1)) , but that failes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you may be making some incorrect assumptions about how things work.
The answers you are getting have to do with testing whether fields on a single event are equal.
If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case.
Here's the basic stats version. Try to use this form if you can, because it's usually most efficient...
(index=foo1 some other search for record with field1) OR
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield
Here's a basic join version...
(index=foo1 some other search for record with field1)
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search
index=foo2 some other search for records with field2
| fields index field2 whatever you need from field2 record
| eval matchfield=field2
]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you may be making some incorrect assumptions about how things work.
The answers you are getting have to do with testing whether fields on a single event are equal.
If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case.
Here's the basic stats version. Try to use this form if you can, because it's usually most efficient...
(index=foo1 some other search for record with field1) OR
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield
Here's a basic join version...
(index=foo1 some other search for record with field1)
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search
index=foo2 some other search for records with field2
| fields index field2 whatever you need from field2 record
| eval matchfield=field2
]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that field1 and field2 cannot be gathered from the main search, so I need to get a subsearch that gets fields 2 and then I have search for the same value's
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ecanmaster, as per your question @micahkemp's answer would suffice the need. Seems like your data is not as per the condition provided in your question. So can you add sample events for the two fields with the field names? Also if you add a details around what is the desired output?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ecanmaster,
Can you please try this?
| makeresults
| eval field1="MyValue",field2="MyValue"
| eval results1=if(field1=field2,"Yes","No")
| eval results2=if(match(field1,field2),"Yes","No")
Here results1 shows the direct comparison of two fields.
Here results1 shows the comparison of two fields using match.
If you want to filter events where both fields are same then use below condition.
| where match(field1,field2)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
| where field2=field1
match uses regex, not values from other fields, but where will compare two fields.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
