I have two indexes, A and B. Events are copied using the |collect command from Index A to index B. Later, I am trying to run a search for all results in index A that are not in index B. Something like:
index=A NOT index B
However this does not remove an event that is in both indexes. Essentially what I am trying is a |join type=left outer . However it seems that Splunk doesn't support that type of join. |Dedup seems to not recognize the events as duplicates either. I also tried using _cd as a unique identifier, however since that is tied to its location in the index, the two events have different _cd values preventing that from being used.
EDIT:
We currently are trying to allow users of our dashboard to "acknowledge" events. This process currently means filling in some input that sets tokens, which, on a drilldown action on a panel that has that event, runs a new search using |eval to append those tokens and |collect to move that event into index B.
The idea is that then we could make sure the our search for "to be acknowledged" will NOT include events that are in index B. Currently do to getting these issues I have been testing without the |eval bit, meaning that the two events are the exact same, the only difference is the index
... View more