Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

compare two fields value for equality in two different indexes

simin67rose
New Member
‎02-08-2017 02:40 AM

HI
I want to know why this code is not working
index="malecious_url" OR index="surikata" |fields http2,http | where(http==http2)

I want to compare them and show which thing is similar in 2 fields that I created in 2 different indexes and sourcetypes

Tags (1)
0 Karma
Reply

starcher
Influencer
‎02-08-2017 08:31 AM

== is equal. Similar is not the same statement. So, if the fields do not match exactly you will get no results. try a table http, http2 on the end and skim the results to see how they look compared to each other.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...