×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lgsplunks
Explorer
Member since: ‎07-06-2022
‎08-04-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 3
Karma Received 1
Member Since ‎07-06-2022
Activity Feed
View All

Re: Compare Different Fields in Different Events

by in Splunk Search
‎07-07-2022 05:43 AM
1 Karma
‎07-07-2022 05:43 AM
1 Karma
Thank you! This worked. There should be only two events for each ACCOUNT_NUM as I did a dedup as part of the initial search (not included in my question). Performing the eval with the new field names AND the single quotes was the solution. I can't believe I missed the part about single quotes in my training, so many hours wasted... Thank you again! ... View more

Re: Compare Different Fields in Different Events

by in Splunk Search
‎07-07-2022 05:39 AM
‎07-07-2022 05:39 AM
Thank you for this information! I did try this fix but I believe because the "date" fields for these events are actually strings, it didn't fix the problem. I should have clarified that in my question that although I am calling the fields dates, they are strings. However, I am adding your comment to my Splunk notes so I have that helpful knowledge when I am working with dates - I don't think that was covered in any of my initial training.  ... View more

Compare Different Fields in Different Events

by in Splunk Search
‎07-06-2022 01:11 PM
‎07-06-2022 01:11 PM
New to Splunk and banging my head against the wall with this problem for over a day now. Please help... Need to compare two different fields from two different events to determine whether the values of those fields match. I ran a search that returns events. All events have an ACCOUNT_NUM field. Depending on the event, it will have either a DATE_TYPE1 field or a DATE_TYPE2 field. The report should display each distinct ACCOUNT_NUM that has one of each DATE_TYPE - so, a column for ACCOUNT NUM, a column for DATE_TYPE1, a column for DATE_TYPE2, and a column for DATE_STATUS ("Match" or "No Match") to indicate whether the two dates match.  So far, I have:   | stats values(DATE_TYPE1) AS "Date One" values(DATE_TYPE2) AS "Date Two" count by ACCOUNT_NUM | where count > 1   This groups the distinct ACCOUNT_NUM and shows me the two DATE_TYPES but how do I indicate whether the two dates match? I tried adding:   | eval DATE_STATUS=if(DATE_TYPE1=DATE_TYPE2, "Match", "No Match")   but this returns "No Match" for all of the events. My understanding is this is because    | eval   is evaluating each event individually. Since no event has both date types, it is not finding a match. How can I get it to compare the date types of each distinct account number as grouped together by my   | stats   command? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-04-2022 09:22 PM
Karma from
View All
Karma given to