Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use subsearch to find which values from a subsearch populated table aren't in another search?

brajaram
Communicator
‎05-07-2018 09:17 PM

I have two seperate sourcetypes. In the first sourcetype, I have a field memberID that also exists in the second sourcetype.

The query I am using right now is:

index=...sourcetype=A....
[search index=... sourcetype=B... other filters | table memberID]

This correctly returns the memberID's in sourcetype A that exist in the subsearch in sourcetype B. However, not all memberID's returned in the table generated in the subsearch are returning in this combined search. I am trying to find out which memberIDs exist from the subsearch(sourcetype B) and do NOT exist in the primary search(sourcetype A).

If I do:

index=...sourcetype=A.... NOT
[search index=... sourcetype=B... other filters | table memberID]

it just returns a large list of everything except all the memberIDs in the subsearch, but I want to specifically get the list of memberIDs from the subsearch that are not in the primary search.

Tags (2)
0 Karma
Reply

knielsen
Contributor
‎05-08-2018 12:21 AM

Maybe this gives you what you want?

index=A sourcetype=A OR (index=B ...more filters) | chart count over memberID by index | where A=0 AND B>0
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...