Splunk Search

match 2 fields with same value

ecanmaster
Explorer

I have a search and need to match 2 fields and show the match. I tried eval match(field1, field2) and eval results = if(match(field2,field1)) , but that failes

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

I think you may be making some incorrect assumptions about how things work.

The answers you are getting have to do with testing whether fields on a single event are equal.

If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case.

Here's the basic stats version. Try to use this form if you can, because it's usually most efficient...

(index=foo1 some other search for record with field1) OR 
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield

Here's a basic join version...

(index=foo1 some other search for record with field1) 
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search 
    index=foo2 some other search for records with field2 
   | fields index field2 whatever you need from field2 record
   | eval matchfield=field2
   ]

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

I think you may be making some incorrect assumptions about how things work.

The answers you are getting have to do with testing whether fields on a single event are equal.

If you are trying to take different events and connect them, then you need to use stats, join, lookup, or one of a half dozen other verbs, as appropriate to your use case.

Here's the basic stats version. Try to use this form if you can, because it's usually most efficient...

(index=foo1 some other search for record with field1) OR 
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield

Here's a basic join version...

(index=foo1 some other search for record with field1) 
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search 
    index=foo2 some other search for records with field2 
   | fields index field2 whatever you need from field2 record
   | eval matchfield=field2
   ]

ecanmaster
Explorer

It seems that field1 and field2 cannot be gathered from the main search, so I need to get a subsearch that gets fields 2 and then I have search for the same value's

0 Karma

niketn
Legend

@ecanmaster, as per your question @micahkemp's answer would suffice the need. Seems like your data is not as per the condition provided in your question. So can you add sample events for the two fields with the field names? Also if you add a details around what is the desired output?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @ecanmaster,

Can you please try this?

| makeresults 
| eval field1="MyValue",field2="MyValue" 
| eval results1=if(field1=field2,"Yes","No") 
| eval results2=if(match(field1,field2),"Yes","No")

Here results1 shows the direct comparison of two fields.
Here results1 shows the comparison of two fields using match.
If you want to filter events where both fields are same then use below condition.

| where match(field1,field2)

Thanks

micahkemp
Champion

Try:

| where field2=field1

match uses regex, not values from other fields, but where will compare two fields.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...