I have a search and need to match 2 fields and show the match. I tried eval match(field1, field2) and eval results = if(match(field2,field1)) , but that failes
I think you may be making some incorrect assumptions about how things work.
The answers you are getting have to do with testing whether fields on a single event are equal.
If you are trying to take different events and connect them, then you need to use stats
, join
, lookup
, or one of a half dozen other verbs, as appropriate to your use case.
Here's the basic stats
version. Try to use this form if you can, because it's usually most efficient...
(index=foo1 some other search for record with field1) OR
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield
Here's a basic join
version...
(index=foo1 some other search for record with field1)
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search
index=foo2 some other search for records with field2
| fields index field2 whatever you need from field2 record
| eval matchfield=field2
]
I think you may be making some incorrect assumptions about how things work.
The answers you are getting have to do with testing whether fields on a single event are equal.
If you are trying to take different events and connect them, then you need to use stats
, join
, lookup
, or one of a half dozen other verbs, as appropriate to your use case.
Here's the basic stats
version. Try to use this form if you can, because it's usually most efficient...
(index=foo1 some other search for record with field1) OR
(index=foo2 some other search for records with field2)
| fields index field1 field2 whatever you need from either record
| eval matchfield=coalesce(field1,field2)
| stats values(*) as * by matchfield
Here's a basic join
version...
(index=foo1 some other search for record with field1)
| fields index field1 whatever you need from field1 record
| eval matchfield=field1
| join matchfield [ search
index=foo2 some other search for records with field2
| fields index field2 whatever you need from field2 record
| eval matchfield=field2
]
It seems that field1 and field2 cannot be gathered from the main search, so I need to get a subsearch that gets fields 2 and then I have search for the same value's
@ecanmaster, as per your question @micahkemp's answer would suffice the need. Seems like your data is not as per the condition provided in your question. So can you add sample events for the two fields with the field names? Also if you add a details around what is the desired output?
Hi @ecanmaster,
Can you please try this?
| makeresults
| eval field1="MyValue",field2="MyValue"
| eval results1=if(field1=field2,"Yes","No")
| eval results2=if(match(field1,field2),"Yes","No")
Here results1 shows the direct comparison of two fields.
Here results1 shows the comparison of two fields using match
.
If you want to filter events where both fields are same then use below condition.
| where match(field1,field2)
Thanks
Try:
| where field2=field1
match
uses regex, not values from other fields, but where
will compare two fields.