Solved: How to compare Field Values of Two Different Field...

atebysandwich · ‎06-06-2023

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth.1

Some of the field values in each version of Host_Auth match and some don't. How can I find the events that do not match?

I've tried where Host_Auth != Host_Auth.1 and eval but nothing works

yuanliu · ‎06-06-2023

Let me take a guess: you can do yourself a favor by not naming fields with special characters.

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth_1
| where Host_Auth != Host_Auth_1

When field name contains special characters, you need to use single quotes in order to dereference their values, like

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth.1
| where Host_Auth != 'Host_Auth.1'

yuanliu · ‎06-06-2023

Let me take a guess: you can do yourself a favor by not naming fields with special characters.

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth_1
| where Host_Auth != Host_Auth_1

When field name contains special characters, you need to use single quotes in order to dereference their values, like

|inputlookup lookup1,csv
|fields IP Host_Auth
|lookup lookup2.csv IP output Host_Auth as Host_Auth.1
| where Host_Auth != 'Host_Auth.1'

How to compare Field Values of Two Different Fields from Two Lookups?