What is the command to check if a field exists in ...

avivn · ‎09-20-2016

hello

what is the command to check if a field exists in one column but not the other?

for example, to count the "10.2.3.3" because it exists in the source column but not in the target column :

source_             |target
10.1.2.3             |10.1.2.3
10.2.3.3             |10.2.2.2

thanks

inventsekar · ‎09-20-2016

try this....

yoursearch | table source, target | where source!=target

avivn · ‎09-21-2016

not working ,,,,

sjalexander · ‎09-21-2016

I downvoted this post because not an answer

sidbisht · ‎07-25-2020

Although the question is 4 years old I had encountered something similar for an Alert. Please try this

to4kawa · ‎07-25-2020

| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| eventstats values(ip2) as tmp
| stats count(eval(match(tmp,ip1))) as count list(ip2) as ip2 values(temp) as temp by ip1
| sort temp
| fields - temp

@sidbisht your creating temp1 is interesting.

How about this query?
For comparing fields, make multi value and use match(), I think.

somesoni2 · ‎09-20-2016

There won't be a straight forward command to the comparison. Try this subsearch method

your base search | where NOT [search yourbasesearch | stats count by target | table target | rename target as source] | stats count by source

avivn · ‎09-21-2016

not working ...

inventsekar · ‎09-21-2016

You simply want to list or you want to count as well?

What is the command to check if a field exists in one column but not in the other column?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes