https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297829#M3794 <P>I have two indexes. I can join them and see the results based on a common field. I want to see only the results in the second index that are not part of the first index.</P> <PRE><CODE>index=BASE earliest=0 | eval LPR = strptime(LastPolicyRequest, "%m/%d/%Y %I:%M:%S %p") | where LPR &gt;= relative_time(now(),"-7d@h") | table "WiFiMAC","LastPolicyRequest","ValidFrom","ValidTo" | join type=left WiFiMAC [ search BASE earliest =-48h | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | eval Indextime =strptime(indextime,"%Y-%m-%d %H:%M:%S.%N") | eval Time =strptime(_time,"%s") | eval Minutes_Diff = round((Indextime - Time)/60,2) | stats avg(Minutes_Diff) as Avg_Minutes_Diff stdev(Minutes_Diff) as StDev_Minutes_Diff min(Minutes_Diff) as Min_Minutes_Diff max(Minutes_Diff) as Max_Minutes_Diff count as count by WiFiMAC | eval Avg_Minutes_Diff = round(Avg_Minutes_Diff,2) | rename count as "Sample Size" | table "WiFiMAC", "Avg_Minutes_Diff", "StDev_Minutes_Diff", "Min_Minutes_Diff", "Max_Minutes_Diff", "Sample Size" ] | table "WiFiMAC", "Avg_Minutes_Diff", "StDev_Minutes_Diff", "Min_Minutes_Diff", "Max_Minutes_Diff","ValidFrom","ValidTo","LastPolicyRequest", "Sample Size" | dedup WiFiMAC </CODE></PRE> <P>Any Ideas?</P> Thu, 29 Mar 2018 17:35:41 GMT JoshuaJohn 2018-03-29T17:35:41Z https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297829#M3794 <P>I have two indexes. I can join them and see the results based on a common field. I want to see only the results in the second index that are not part of the first index.</P> <PRE><CODE>index=BASE earliest=0 | eval LPR = strptime(LastPolicyRequest, "%m/%d/%Y %I:%M:%S %p") | where LPR &gt;= relative_time(now(),"-7d@h") | table "WiFiMAC","LastPolicyRequest","ValidFrom","ValidTo" | join type=left WiFiMAC [ search BASE earliest =-48h | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | eval Indextime =strptime(indextime,"%Y-%m-%d %H:%M:%S.%N") | eval Time =strptime(_time,"%s") | eval Minutes_Diff = round((Indextime - Time)/60,2) | stats avg(Minutes_Diff) as Avg_Minutes_Diff stdev(Minutes_Diff) as StDev_Minutes_Diff min(Minutes_Diff) as Min_Minutes_Diff max(Minutes_Diff) as Max_Minutes_Diff count as count by WiFiMAC | eval Avg_Minutes_Diff = round(Avg_Minutes_Diff,2) | rename count as "Sample Size" | table "WiFiMAC", "Avg_Minutes_Diff", "StDev_Minutes_Diff", "Min_Minutes_Diff", "Max_Minutes_Diff", "Sample Size" ] | table "WiFiMAC", "Avg_Minutes_Diff", "StDev_Minutes_Diff", "Min_Minutes_Diff", "Max_Minutes_Diff","ValidFrom","ValidTo","LastPolicyRequest", "Sample Size" | dedup WiFiMAC </CODE></PRE> <P>Any Ideas?</P> Thu, 29 Mar 2018 17:35:41 GMT https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297829#M3794 JoshuaJohn 2018-03-29T17:35:41Z https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297830#M3795 <P>Hey</P> <P>Let's say you WiFiMAC is the field that you use to eliminate them, you can use a strategy like the following:</P> <PRE><CODE>Index 2 NOT [ search index 1 | ..... | return WiFiMAC] </CODE></PRE> <P>That will show you index 2 entries that don't have any value of the index 1 entries you got in that subsearch</P> Thu, 29 Mar 2018 18:15:26 GMT https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297830#M3795 tiagofbmm 2018-03-29T18:15:26Z https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297831#M3796 <P>... that did it. Thank you!</P> Thu, 29 Mar 2018 18:28:24 GMT https://community.splunk.com/t5/Splunk-Dev/splunk-remove-common-field-values-after-join/m-p/297831#M3796 JoshuaJohn 2018-03-29T18:28:24Z