×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
rohitnaz007
Loves-to-Learn Lots
Member since: ‎12-01-2020
‎06-29-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-01-2020
Activity Feed
View All

Re: How to compare two fields from two different i...

by in Splunk Search
‎12-07-2020 11:18 AM
‎12-07-2020 11:18 AM
Reply got from that query as below,   cn1 alert m   4361101 4361101 4361645   4361645   4361645 4361645 4361738   4361738  & as per your solution, | eval m = if(cn1==alert, "Match", "No Match") gives result as below, cn1 alert m 4369221   No Match   4369135 No Match   4369135 No Match 4369418   No Match   @richgalloway @elrich11  want to Expected result Like this, cn1 alert m 4369221 4369221 Match 4369222 4369135 No Match 4369243 4369135 No Match 4369418   No Match ... View more

How to compare two fields from two different index...

by in Splunk Search
‎12-07-2020 04:13 AM
‎12-07-2020 04:13 AM
I am running 2 different Index and have to compare each value in field 1 from 1st index with the values in field2 from index 2 . & also regex is used for other field value. The display result should show a match or a Non Match against each value.        Given Data: (index=cmi cef_vendor="Imperva Inc." cef_product="WAF" dvc="10.124.1.202" act="None" cs2="*" deviceSeverity=High) OR (index=case_management DeviceProduct=WAF fname IN ("*CMI - WAF*")) | rex field=fname "(-)(?(\s)(PROD|SFR)+(\s))(-)(?(\s)[\w]+(\s)[\w]+(\s))(?(\d)+(\s))(-)" | eval m=coalesce(cn1,alert) | stats values(cn1) as cn1 values(alert) as alert by m | table cn1 alert m   Results should be something like this table: cn1                  alert             m 453626     453626      Match 453624     453626     No Match @elrich11  ... View more
Labels

Re: How do i use join in a query where i have used...

by in Splunk Dev
‎12-02-2020 12:15 AM
‎12-02-2020 12:15 AM
can anyone help in this scenario, this is an urgent issue for me! ... View more

How do i use join in a query where i have used dat...

by in Splunk Dev
‎12-01-2020 04:30 AM
‎12-01-2020 04:30 AM
I am using search query from indexes using join operator and get result as below , Search Query = index=case_management AND cef_name="Case inserted" | where fname LIKE "%%CMI - IPS%%" | dedup fileId | join fname [ search index=case_management AND cef_name="Case updated" ] | rex field=fname "CMI - IPS - \((?<customer_id>[\d]+)\) - CMI (?<Env>[^\s]+) - " | where Env ="Prod" | timechart span=1mon count by flexString2 fixedrange=false cont=false | where _time>=relative_time(now(),"-3mon@mon") AND _time<relative_time(now(),"-0mon@mon")   Result is= _time       Closed Follow-Up Queued 2020-09   113             4                   1 2020-10   26                0                   0 i want to get the same result by writing a query using data model.  @elrich11  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-29-2021 02:54 PM