Search for results which don't appear in subsearch

smcdonald20 · ‎03-28-2017

I have the below search, but am not getting any results (even though I know there are results).
There are over 10,000 results in the first query, could that be the issues?

lguinn2 · ‎03-28-2017

I would try it this way:

(index=ad source=otl_aduserscan) OR (index=summary source="otl - engineering - jira au tickets" )
| eval samAccountName=coalesce(samAccountName,Username)
| chart count by samAccountName index
| fillnull
| where summary=0
| table samAccountName

This solution avoids any subsearch limitations (time or size of results). It may also be much faster. Finally, you can easily debug this search by running just the first 2-3 lines to "see what you get."

somesoni2 · ‎03-28-2017

If your subsearch result is getting truncated, you should see additional data since you're using NOT command (less records subsearch returns, less records will get filtered). Does the value of field Username in your summary index and value of field samAccountName match exactly? Give this a try as well.

index=ad source=otl_aduserscan
|fields samAccountName, enabled
|search NOT [search index=summary source="otl - engineering - jira au tickets" 
|stats count by Username | eval samAccountName="*".Username."*" | table sasmAccountName ]
|table samAccountName

niketn · ‎03-28-2017

Not sure if the query will be any better

index=ad source=otl_aduserscan NOT 
  [ search index=summary source="otl - engineering - jira au tickets" 
   | dedup Username 
   | eval samAccountName=Username ]
| table samAccountName

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Search for results which don't appear in subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!