Solved: How to return results from Search1 which are not p...

cvreddy · ‎06-01-2016

I have two searches that will return common fields Event & UUID.
I have to get the results from the first search which are not present in the second search.

Search 1:

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server"

Search 2:

State="SendEmail" Action="After-SendEmail"

Can anyone provide the best search to find them?

Thanks in advance

sundareshr · ‎06-01-2016

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

View solution in original post

sundareshr · ‎06-01-2016

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

cvreddy · ‎06-01-2016

I've to eliminate UUID's from first query which are present in second query.
With the given query I'm getting more records as expected.

How to return results from Search1 which are not present in Search2?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor