https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625029#M14878 <P>IN-PROGRESS events are random and can have duplicate events name, they don't follow any kind of order as such.<BR /><BR />Thank you.</P> Thu, 22 Dec 2022 02:28:54 GMT ShubhamWanne 2022-12-22T02:28:54Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/624983#M14870 <P>I am new to splunk and working on a complex query where;<BR />I am supposed to implement NOT IN functionality in SQL along with eval<BR /><BR />I want to skip all the IN-PROGRESS events who later went into COMPLETED state, and display all the events which are still in IN-PROGRESS state.</P> <P>For example<BR />COMPLETED events:</P> <P>event1<BR />event5<BR />event4<BR />event7<BR /><BR />IN-PROGRESS events:</P> <P>event3<BR />event1<BR />event4<BR /><BR />Expected result<BR /><STRONG>event3</STRONG></P> <P>Given below are the queries to fetch COMPLETED and IN-PROGRESS events:<BR /><BR />index=abc message="*COMPLETED*" | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | table eventName<BR />index=abc message="*IN-PROGRESS*" | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | table eventName<BR /><BR /><BR />Thank you in advance.<BR /><BR /></P> Wed, 21 Dec 2022 15:02:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/624983#M14870 ShubhamWanne 2022-12-21T15:02:09Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/624990#M14872 <P>Collect all IN-PROGRESS and COMPLETED events.&nbsp; Keep only the most recent event for each unique identifier.&nbsp; Discard the COMPLETED events and what is left will be those IN-PROGRESS and not COMPLETED.</P><LI-CODE lang="markup">index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | dedup eventName | where NOT match(message, "COMPLETED") | table eventName</LI-CODE> Wed, 21 Dec 2022 14:30:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/624990#M14872 richgalloway 2022-12-21T14:30:55Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625005#M14875 <P>I appreciate the quick reponse&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;<BR /><BR />but this query fails in scenario where:<BR />COMPLETED (C)<BR />Event1, Event2, Event3 and<BR /><BR />IN-PROGRESS (I-P)<BR />Event1, Event2, Event2, Event2<BR /><BR />Then</P><PRE>index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) </PRE><P>&nbsp;This query will list<BR />Event1(C), Event1(I-P),&nbsp;Event2(I-P),Event2(I-P),Event2(I-P),Event2(C),Event3(C)<BR /><BR />and&nbsp;&nbsp;</P><PRE>| dedup eventName</PRE><P>will return<BR />&nbsp;Event1(C),&nbsp;Event2(I-P),Event3(C)<BR /><BR />and</P><PRE>| where NOT match(message, "COMPLETED")</PRE><P><BR />will return&nbsp;<BR /><BR />Event2<BR /><BR /><BR /><STRONG>Ideally, result should be 0.</STRONG></P><P><STRONG>Thank you.</STRONG></P> Wed, 21 Dec 2022 15:58:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625005#M14875 ShubhamWanne 2022-12-21T15:58:16Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625017#M14876 <P>My query assumes events are in reverse time order, which is the default.&nbsp; If that is not the case for your data then please advise so I can revise the query.</P> Wed, 21 Dec 2022 20:12:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625017#M14876 richgalloway 2022-12-21T20:12:48Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625029#M14878 <P>IN-PROGRESS events are random and can have duplicate events name, they don't follow any kind of order as such.<BR /><BR />Thank you.</P> Thu, 22 Dec 2022 02:28:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625029#M14878 ShubhamWanne 2022-12-22T02:28:54Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625098#M14883 <P>If IN-PROGRESS arrives after COMPLETE then I would think the event is now in progress.&nbsp; OTOH, if the logic is if COMPLETE is seen at any time then IN_PROGRESS must be ignored then try this query.</P><LI-CODE lang="markup">index=abc (message="*IN-PROGRESS*" OR message="*COMPLETED*") | eval splitStr=split(message, ",") | eval eventName=mvindex(splitStr,1) | stats values(message) as messages by eventName | where isnull(mvfind(messages, "COMPLETED")) | table eventName</LI-CODE> Thu, 22 Dec 2022 14:41:49 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-write-a-search-to-implement-NOT-IN-functionality-in-SQL/m-p/625098#M14883 richgalloway 2022-12-22T14:41:49Z