Solved: How to return results from Search1 which are not p...

cvreddy · ‎06-01-2016

I have two searches that will return common fields Event & UUID.
I have to get the results from the first search which are not present in the second search.

Search 1:

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server"

Search 2:

State="SendEmail" Action="After-SendEmail"

Can anyone provide the best search to find them?

Thanks in advance

sundareshr · ‎06-01-2016

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

View solution in original post

sundareshr · ‎06-01-2016

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

cvreddy · ‎06-01-2016

I've to eliminate UUID's from first query which are present in second query.
With the given query I'm getting more records as expected.

How to return results from Search1 which are not present in Search2?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio