Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I compare two fields that I get from my search result?

prashanthberam
Explorer
‎08-11-2017 07:11 AM

I want to compare the two columns that I get dynamically from my search result. I want to compare both fields.

Sourcetype             result
xxxx                   normal
xxxx                   elevated
xxxx                   critical.

I want to compare both values, whether any sourcetype is critical or the final result is critical, or else any sourcetype is elevated result is elevated. if everything is normal result is "normal".
can we compare like this.
Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2017 01:12 PM

Just add this:

| eval MyAnswer=1 
| chart count useother=f limit=0 over MyAnswer BY sourcetype 
| foreach * [eval <<FIELD>>="<<FIELD>>"]
| eval MyAnswer=coalesce(critical. elaveated, normal, "ERROR!")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎05-29-2018 03:08 AM

@prashanthberam please do not forget to accept an answer if you are happy with it

0 Karma
Reply
Solved! Jump to solution

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-14-2017 10:52 AM

Hey @prashanthberam, did any of these Answers work for you? If so, please accept one.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-11-2017 01:12 PM

Just add this:

| eval MyAnswer=1 
| chart count useother=f limit=0 over MyAnswer BY sourcetype 
| foreach * [eval <<FIELD>>="<<FIELD>>"]
| eval MyAnswer=coalesce(critical. elaveated, normal, "ERROR!")
0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎08-11-2017 07:36 AM

Errrm, I might be missing something, but based on what you are saying, that is, if my sourcetype is critical result should be critical and so on, why don't you simply do the following:

| eval result = sourcetype

Or even better, use the value of sourcetype directly instead of defining a new field.

If on the other hand, you just want to compare against certain values of the sourcetype field before you assign the value of result, then you can use the following syntax:

| eval result = case(
    match(sourcetype, "keyword_for_critical_sourcetypes") , "critical",
    match(sourcetype, "keyword_for_elevated_sourcetypes"), "elevated",
    match(sourcetype, "keyword_for_normal_sourcetypes"), "normal",
    1==1, "everything else"
)

Note you can use an exact matching ( == ) instead of match if you know exactly what you are comparing against.

Hope that helps,
J

0 Karma
Reply
Solved! Jump to solution

sbbadri
Motivator
‎08-11-2017 07:22 AM

try this

.. | eval result=case(sourcetype=="critical" AND result=="critical","critical",sourcetype=="elevated" AND result=="elevated","elevated",sourcetype=="normal" AND result=="normal","normal")

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...