search command

uhkc777 · ‎08-25-2016

Here is my search query.

index=parmed-stage|eval _time=_time+14400|table _time OrderId OrderDetailID _raw|search NOT [|search index=sapecc-stage source=DBX:SAPECC-SE8 sourcetype=DBX:SAP-SalesOrder| table SALESORDERNUM ITEMDETAILID|rename SALESORDERNUM as OrderId, ITEMDETAILID as OrderDetailID] |table _raw OrderId OrderDetailID

I want to get the events from parmed which are not in sapecc index.
Here OrederID field in parmed matches SALESORDERNUM and OrderDetailID matches ITEMDETAILID. I want to get the events which don't match.

woodcock · ‎08-25-2016

Like this:

index=parmed-stage OR (index=sapecc-stage source=DBX:SAPECC-SE8 sourcetype=DBX:SAP-SalesOrder)
| eval OrderId=coalesce(OrderId, SALESORDERNUM)
| eval OrderDetailID=coalesce(OrderDetailID, ITEMDETAILID)
| eventstats dc(index) AS numIndices
| search numIndices=1
| table _raw OrderId OrderDetailID

sundareshr · ‎08-25-2016

Try like this

index=parmed-stage NOT [search index=sapecc-stage source=DBX:SAPECC-SE8 sourcetype=DBX:SAP-SalesOrder| table SALESORDERNUM ITEMDETAILID|rename SALESORDERNUM as OrderId, ITEMDETAILID as OrderDetailID] | table _raw OrderId OrderDetailID

uhkc777 · ‎08-25-2016

@sundareshr
itsearch index=parmed-stage NOT ( ( OrderDetailID="10" AND OrderId="1000041934" ) OR ( OrderDetailID="90" AND OrderId="1000022259" ) OR ( OrderDetailID="80" AND OrderId="1000022259" ) OR ( OrderDetailID="70" AND OrderId="1000022259" ) OR ( OrderDetailID="60" AND OrderId="1000022259" ) OR ( OrderDetailID="50" AND OrderId="1000022259" ) OR ( OrderDetailID="40" AND OrderId="1000022259" ) OR ( OrderDetailID="30" AND OrderId="1000022259" ) OR ( OrderDetailID="20" AND OrderId="1000022259" ) OR ( OrderDetailID="10" AND OrderId="1000022259" ) OR ( OrderDetailID="10" AND OrderId="1000041933" ) OR ( OrderDetailID="10" AND OrderId="1000041932" ) OR ( OrderDetailID="10" AND OrderId="1000041911" ) OR ( OrderDetailID="40" AND OrderId="1000041100" ) OR ( OrderDetailID="50" AND OrderId="1000041100" ) OR ( OrderDetailID="60" AND OrderId="1000041100" ) OR ( OrderDetailID="30" AND OrderId="1000041100" ) OR ( OrderDetailID="20" AND OrderId="1000041100" ) OR ( OrderDetailID="10" AND OrderId="1000041100" ) OR ( OrderDetailID="10" AND OrderId="1000041055" ) OR ( OrderDetailID="40" AND OrderId="1000041046" ) OR ( OrderDetailID="30" AND OrderId="1000041046" ) OR ( OrderDetailID="20" AND OrderId="1000041046" ) OR ( OrderDetailID="10" AND OrderId="1000041046" ) OR ( OrderDetailID="10" AND OrderId="1000041045" ) OR ( OrderDetailID="40" AND OrderId="1000041045" ) OR ( OrderDetailID="30" AND OrderId="1000041045" ) OR ( OrderDetailID="20" AND OrderId="1000041045" ) OR ( OrderDetailID="40" AND OrderId="1000041044" ) OR ( OrderDetailID="30" AND OrderId="1000041044" ) OR ( OrderDetailID="20" AND OrderId="1000041044" ) OR ( OrderDetailID="10" AND OrderId="1000041044" ) OR ( OrderDetailID="40" AND OrderId="1000041043" ) OR ( OrderDetailID="30" AND OrderId="1000041043" ) OR ( OrderDetailID="20" AND OrderId="1000041043" ) OR ( OrderDetailID="10" AND OrderId="1000041043" ) OR ( OrderDetailID="10" AND OrderId="1000041042" ) OR ( OrderDetailID="40" AND OrderId="1000041042" ) OR ( OrderDetailID="30" AND OrderId="1000041042" ) OR ( OrderDetailID="20" AND OrderId="1000041042" ) OR ( OrderDetailID="40" AND OrderId="1000041041" ) OR ( OrderDetailID="30" AND OrderId="1000041041" ) OR ( OrderDetailID="20" AND OrderId="1000041041" ) OR ( OrderDetailID="10" AND OrderId="1000041041" ) OR ( OrderDetailID="40" AND OrderId="1000041040" ) OR ( OrderDetailID="30" AND OrderId="1000041040" ) OR ( OrderDetailID="20" AND OrderId="1000041040" ) OR ( OrderDetailID="10" AND OrderId="1000041040" ) OR ( OrderDetailID="10" AND OrderId="1000041039" ) OR ( OrderDetailID="40" AND OrderId="1000041039" ) OR ( OrderDetailID="30" AND OrderId="1000041039" ) OR ( OrderDetailID="20" AND OrderId="1000041039" ) OR ( OrderDetailID="40" AND OrderId="1000041038" ) OR ( OrderDetailID="30" AND OrderId="1000041038" ) OR ( OrderDetailID="20" AND OrderId="1000041038" ) OR ( OrderDetailID="10" AND OrderId="1000041038" ) OR ( OrderDetailID="40" AND OrderId="1000041037" ) OR ( OrderDetailID="30" AND OrderId="1000041037" ) OR ( OrderDetailID="20" AND OrderId="1000041037" ) OR ( OrderDetailID="10" AND OrderId="1000041037" ) OR ( OrderDetailID="10" AND OrderId="1000041036" ) OR ( OrderDetailID="40" AND OrderId="1000041036" ) OR ( OrderDetailID="30" AND OrderId="1000041036" ) OR ( OrderDetailID="20" AND OrderId="1000041036" ) OR ( OrderDetailID="40" AND OrderId="1000041035" ) OR ( OrderDetailID="30" AND OrderId="1000041035" ) OR ( OrderDetailID="20" AND OrderId="1000041035" ) OR ( OrderDetailID="10" AND OrderId="1000041035" ) OR ( OrderDetailID="40" AND OrderId="1000041034" ) OR ( OrderDetailID="30" AND OrderId="1000041034" ) OR ( OrderDetailID="20" AND OrderId="1000041034" ) OR ( OrderDetailID="10" AND OrderId="1000041034" ) OR ( OrderDetailID="10" AND OrderId="1000041033" ) OR ( OrderDetailID="40" AND OrderId="1000041033" ) OR ( OrderDetailID="30" AND OrderId="1000041033" ) OR ( OrderDetailID="20" AND OrderId="1000041033" ) OR ( OrderDetailID="40" AND OrderId="1000041032" ) OR ( OrderDetailID="30" AND OrderId="1000041032" ) OR ( OrderDetailID="20" AND OrderId="1000041032" ) OR ( OrderDetailID="10" AND OrderId="1000041032" ) OR ( OrderDetailID="40" AND OrderId="1000041031" ) OR ( OrderDetailID="30" AND OrderId="1000041031" ) OR ( OrderDetailID="20" AND OrderId="1000041031" ) OR ( OrderDetailID="10" AND OrderId="1000041031" ) OR ( OrderDetailID="10" AND OrderId="1000041030" ) OR ( OrderDetailID="40" AND OrderId="1000041030" ) OR ( OrderDetailID="30" AND OrderId="1000041030" ) OR ( OrderDetailID="20" AND OrderId="1000041030" ) OR ( OrderDetailID="40" AND OrderId="1000041029" ) OR ( OrderDetailID="30" AND OrderId="1000041029" ) OR ( OrderDetailID="20" AND OrderId="1000041029" ) OR ( OrderDetailID="10" AND OrderId="1000041029" ) OR ( OrderDetailID="40" AND OrderId="1000041028" ) OR ( OrderDetailID="30" AND OrderId="1000041028" ) OR ( OrderDetailID="20" AND OrderId="1000041028" ) OR ( OrderDetailID="10" AND OrderId="1000041028" ) OR ( OrderDetailID="10" AND OrderId="1000041027" ) OR ( OrderDetailID="40" AND OrderId="1000041027" ) OR ( OrderDetailID="30" AND OrderId="1000041027" ) OR ( OrderDetailID="20" AND OrderId="1000041027" ) OR ( OrderDetailID="40" AND OrderId="1000041026" ) OR ( OrderDetailID="30" AND OrderId="1000041026" ) OR ( OrderDetailID="20" AND OrderId="1000041026" ) OR ( OrderDetailID="10" AND OrderId="1000041026" ) OR ( OrderDetailID="40" AND

sundareshr · ‎08-25-2016

This looks right to me, does the query look right to you?. Are the field names identical (case sensitive)

uhkc777 · ‎08-25-2016

@Sundaresh

sundareshr · ‎08-25-2016

No attachment. Can you just copy paste the NOT () bit as text?

uhkc777 · ‎08-25-2016

check the attachment image in next answer for litsearch

uhkc777 · ‎08-25-2016

No it's not working.It's just showing all events in parmed.(includes common events in sapecc which i don't want)

sundareshr · ‎08-25-2016

Click on Job >> Inspect Job and scroll down till you see litsearch (Ctrl+F litsearch on the popup window) and see if that search is correct. If not, let me know what that should be. This searches for NOT (OrderId="xyz" AND OrderDetailID="abc"). Do you want NOT (OrderId="xyz" OR OrderDetailID="abc")

uhkc777 · ‎08-25-2016

NOT (OrderId="xyz" AND OrderDetailID="abc")-----I want this one

sundareshr · ‎08-25-2016

What does litsearch show?

uhkc777 · ‎08-25-2016

only those 2 field values matches in 2 indexes....remaining everything is different

search command

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...