Splunk Search

Search for results which don't appear in subsearch

smcdonald20
Path Finder

I have the below search, but am not getting any results (even though I know there are results).
There are over 10,000 results in the first query, could that be the issues?

index=ad source=otl_aduserscan
|fields samAccountName, enabled
|search NOT [search index=summary source="otl - engineering - jira au tickets"
|fields Username | rename Username as samAccountName ]
|table samAccountName

Tags (3)
0 Karma

lguinn2
Legend

I would try it this way:

(index=ad source=otl_aduserscan) OR (index=summary source="otl - engineering - jira au tickets" )
| eval samAccountName=coalesce(samAccountName,Username)
| chart count by samAccountName index
| fillnull
| where summary=0
| table samAccountName

This solution avoids any subsearch limitations (time or size of results). It may also be much faster. Finally, you can easily debug this search by running just the first 2-3 lines to "see what you get."

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If your subsearch result is getting truncated, you should see additional data since you're using NOT command (less records subsearch returns, less records will get filtered). Does the value of field Username in your summary index and value of field samAccountName match exactly? Give this a try as well.

index=ad source=otl_aduserscan
|fields samAccountName, enabled
|search NOT [search index=summary source="otl - engineering - jira au tickets" 
|stats count by Username | eval samAccountName="*".Username."*" | table sasmAccountName ]
|table samAccountName

niketn
Legend

Not sure if the query will be any better

index=ad source=otl_aduserscan NOT 
  [ search index=summary source="otl - engineering - jira au tickets" 
   | dedup Username 
   | eval samAccountName=Username ]
| table samAccountName
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...