Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return results where ClientID in first search DOES NOT match any ClientID in second search.

griffinpair
Path Finder
‎08-10-2017 08:31 AM

Search 1:

source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* End
| rex field=source "importhelpers\\\\+(?LateClientID[^\\\\]+)"
| where (LateClientID="WHI")
OR (LateClientID="IRM")

Results: 

LateClientID: WHI, IRM

Search 2:

index="si_errors" sourcetype="si_LateEnd"

Results:

ClientID: WHI, ALP, USBI

Based on the results, I would want data from IRM to be returned. This is because any ClientID in the second search that matches a LateClientID returned in the first search I DO NOT want data from.

updated to mark code, DMJ

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-10-2017 08:52 AM

Try this ...

 source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* End
 | rex field=source "importhelpers\\\\+(?LateClientID[^\\\\]+)"
 | where NOT [
      index="si_errors" sourcetype="si_LateEnd" 
     | dedup ClientID | table ClientID | rename ClientID as lateClientID  
     ]

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-10-2017 08:52 AM

Try this ...

 source=*D:\\XSP\\importhelpers* source=*IH_Daily\\DebugImportHelper* End
 | rex field=source "importhelpers\\\\+(?LateClientID[^\\\\]+)"
 | where NOT [
      index="si_errors" sourcetype="si_LateEnd" 
     | dedup ClientID | table ClientID | rename ClientID as lateClientID  
     ]
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-10-2017 11:38 AM

This search works perfect thanks!! One more question for this though. How do I only search for records within the last 24 hours on the sub-search?

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-10-2017 11:44 AM

Add the following to your sub-search:

index="si_errors" sourcetype="si_LateEnd" earliest=-24h@h latest=now
0 Karma
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-10-2017 11:46 AM

It works good before I add that text. After I add it I get the error "Error in 'where' command: The 'not' function is unsupported or undefined."

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-10-2017 08:50 AM

You could use a sub-search for this. Try something like this:

source=D:\\XSP\\importhelpers source=IH_Daily\\DebugImportHelper End 
| rex field=source "importhelpers\\\+(?LateClientID[^\\\]+)"
    NOT 
    [ search index="si_errors" sourcetype="si_LateEnd" 
    | eval LateClientID=ClientID]
0 Karma
Reply
Solved! Jump to solution

griffinpair
Path Finder
‎08-10-2017 08:57 AM

The "NOT" here is throwing an error. It is saying it is an invalid argument.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-10-2017 09:29 AM

@griffinpair - run the subsearch all together on one line and try again. kmorris and I both chose to prettify the code - almost exactly the same way by coincidence - and sometimes splunk objects to whitespace in certain locations.

You should add | table LateClientID just inside the last subsearch bracket also.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-10-2017 08:56 AM

@kmorris [Splunk] - OOOO - very close... but you left the ClientID field (and possibly others) to hit the implicit format....... 😉

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...