Hello

I have similar situation where I have 2 sources of data and in data I get filenames processed but filenaming convention is different in both data sources.
So for that matter I get a pattern using eval and some string manipulations to match in both sources.

So I am trying hard to find filenames that are in source1 but not in source2.

So here I am trying to do:

index="clouddata" Application=CS Message.PublisherId="PROD_*ONGOING*"|
rename Message.FileName as cs_filename | dedup cs_filename |
eval ercode = mvindex(split(cs_filename,"_"),1) |
eval servicedatetime = mvindex(split(cs_filename,"_"),2) |
strcat ercode servicedatetime fileSearchStr |
eval fileSearch = substr(fileSearchStr,0,18) | table fileSearch | where NOT fileSearch IN [search index="serverdata" Application=SP |
rename Message.FileName as sp_filename | dedup sp_filename |
eval ercode = mvindex(split(sp_filename,"_"),0) |
eval datetime = mvindex(split(sp_filename,"_"),1) |
strcat ercode datetime fileSearchStr1 |
eval fileSearch="\"".fileSearch."\"" | stats values(fileSearch) as search delim="," | nomv search]

That field fileSearch would look like "10010JYR2011240547"
And when I run subsearch as a separate main query it gives me something like "10005ABC2020112405","10010JYR2011240547","100839TIN202011240","83101ICC2020112406"

Getting an error:
Error in 'where' command: The expression is malformed. Expected (.

Can I get some help on this?