Answers for "Search help: remove intersection of two sets from the first set"
https://answers.splunk.com/answers/26592/search-help-remove-intersection-of-two-sets-from-the-first-set.html
The latest answers for the question "Search help: remove intersection of two sets from the first set"Answer by kristian.kolb
https://answers.splunk.com/answering/34706/view.html
I'd assume that the following would be more efficient, but I haven't tried it out.
source=set1.log NOT [search source=set2.log | dedup MAC | fields + MAC ]
i.e find all MACs from set2, then show all events from set1 whose MAC addresses do not match the subsearch.
/kristianFri, 18 Nov 2011 20:30:40 GMTkristian.kolbAnswer by Genti
https://answers.splunk.com/answering/26593/view.html
This can be achieved by the following search:
<code>source="set1.log" | JOIN type=left MAC [search source="set2.log" | eval x=1] | Where NOT x=1</code>
Explanation:
the subsearch will find events in set2.log and add a new field, x=1 to the event. (that is for D, E, F, G, the field x=1 will be associated to the events)
Then, were doing a LEFT JOIN, on the field MAC (which will return A B C D) , but we are leaving out those events for which x=1 (hence we are leaving out D).
The final result then becomes: A, B and C, that is, set1 - set2Mon, 20 Jun 2011 23:03:52 GMTGenti