Splunk Search

Why comparision not working when field is having value "*"

ma_anand1984
Contributor

fieldA is the extracted field already available
fieldB is eval field

| eval fieldB=*

| where fieldA=fieldB

Here im trying to match all values of fieldA. above command is not working

where as if i give
| eval fieldB=test

| where fieldA=fieldB
then it matches fieldA with value test

Im trying to do something complex , this is the part where i am stuck

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The eval command treats the asterisk character as multiplication.

If your task is complex I recommend regular expressions, for example to match everything:

... | eval fieldB=".*" | where match(fieldA, fieldB)

To match "test":

... | eval fieldB="^test$" | where match(fieldA, fieldB)

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

The eval command treats the asterisk character as multiplication.

If your task is complex I recommend regular expressions, for example to match everything:

... | eval fieldB=".*" | where match(fieldA, fieldB)

To match "test":

... | eval fieldB="^test$" | where match(fieldA, fieldB)

Ayn
Legend

Just as an FYI, you don't need to call format at the end of a subsearch, because it will be called implicitly anyway.

ma_anand1984
Contributor

I prefer using your way. its faster 🙂

0 Karma

ma_anand1984
Contributor

thank you for the tip. I actually wrote a subsearch to achieve it !!!!

[search |stats count |eval fieldA= if("APP"=="APP","*","test") | fields fieldA| format]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...