Compare two different attributes of a log

[nofaceinbook]

I checked now the specification (thank you very much for it), several times, but I don't see a possibility to compare two different attributes of a log file. E.g. you want to check if the sourceIp is equal to destinationIp (not discussing here if this example makes any sense).
If this feature is not yet available I would suggest to allow a new modifier 'field'. In case it is present the value of a search identifier is treated as fieldname. E.g.

selection:
     sourceIp|field: destinationIp    # select flows where sourceIp eqauls destinaitionIp 

Also having the option to compare values with comparison modifiers of the new version like:

selection:
    bytesOut|field|g:  bytesIn   # select flows where more bytes went out than in

And in addition I would also vote for a specifc "not equal" comparison e.g. 'ne' to avoid to have a complicated comparision with two different selections and not-statement for this.

[Res260]

This modifier exists! However it's in the version 2 of the specification. It's called fieldref: https://github.com/SigmaHQ/sigma-specification/blob/version_2/appendix_modifer.md

[nofaceinbook]

Great. Thank you very much @Res260 . So I did not read version 2 carefully enough :-)

But I would still recommend to have a not-equal modifier like 'ne' as described above.