I am trying to match a field across two inputs if the field matches then I compare the dates and table them.
When I create the match expression and output the values, they are blank.
However the date comparison following this expression is working, so it is getting the fields somehow.
Can someone help, I am very new to Splunk
Here is my query:
| inputlookup File1
| fields T1 F1 R1 C1-- (fields in File1)
| lookup File2 F2 AS F1 OUTPUT Num F2 CT2 UT2 S2 (fields in File2)
| eval results=case((T1>CT2 AND (S2!="XYX"AND S2!="ABC")), "Duplicate",(T1>CT2 AND (S2="XYX" OR S2="ABC")),"New")
|eval Ticket=if(results=New,"NEW Ticket","Duplicate")
| table Ticket R1 F1 C1 F2 Num Created S2 CT2
The results logic seems to be working, and I am getting table with Duplicate, R1, F1 C1
However I am not getting F2 Num Created S2 and CT2 , the fields from File2. When i just run the following
| inputlookup File1
| fields T1 F1 R1 C1-- (fields in File1)
| lookup File2 F2 AS F1 OUTPUT Num F2 CT2 UT2 S2 (fields in File2)
I get the fields from File1(based on second line of search) and data, but only fields from File2 but no data in them(OUTPUT result), any idea what i am doing wrong here.
... View more