How to create a search and subsearch to exclude re...

pc1234 · ‎10-17-2022

I need to create a search and subsearch to exclude results in a query.

the primary search is a lookup table. the subsearch is a query on events that extracts a field I want to use to join to the primary search. the common field is hostname.

If a given hostname in the lookup table is found in the subsearch i want to discard it.

primary search

| inputlookup hosts.csv

field = hostname

output:

host1

host2

host3

subsearch

index=abc message="for account" sourcetype=type1

rex field=names"(?<hostname>\S+)

field hostname

output:

host3

I want the following output:

hostname

host1

host2

I want to discard host3 since its in the subquery.

How do I correlate the searches to do this? I can't use a join because the hostname in the subsearch is not computed until the subquery is executed.

Thanks in Advance.

richgalloway · ‎10-17-2022

You wrote what you need to do - a search, a subsearch, and exclude (NOT).

| inputlookup hosts.csv where NOT [ index=abc message="for account" sourcetype=type1 | rex field=names"(?<hostname>\S+) ]

It also can be done with a join, but that's not preferred.

| inputlookup hosts.csv
| join type=left hostname [
  index=abc message="for account" sourcetype=type1
  | rex field=names"(?<hostname>\S+) ]

---
If this reply helps you, Karma would be appreciated.

How to create a search and subsearch to exclude results in a query?

join

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?