topic Re: Newbie doubt in Getting Data In

Newbie doubt

SoumyaSengupta9 — Tue, 20 Oct 2020 20:58:49 GMT

I have an array of pre-defined string values.

I want to check which of these values have not occured at search time for the last 60 mins.

I have my query in such a format

[ "", "", "", ............ ] NOT IN [ search query ]

This does not work as the hardcoded strings are not a search query. What do I do here?

Basically I need the list of strings which haven't appeared in the last 60 mins among the logs.

Re: Newbie doubt

richgalloway — Tue, 20 Oct 2020 21:53:32 GMT

Recall that square brackets denote a subsearch. Subsearches run before the main search and their results are added to the main search. The combination must produce a valid SPL query.

The IN operator does not work the way it's being used here. It expects a comma-separated list of values rather than the "(foo=1 OR foo=2)" type of result produced by a subsearch.

See if this query helps

search query NOT ("" OR "" OR "" OR ....)

Re: Newbie doubt

SoumyaSengupta9 — Wed, 21 Oct 2020 08:38:24 GMT

@richgalloway so the search query should actually be part of the subsearch, i.e - [search query].
The results returned by theses subsearch are intended to be compared with the existing list of pre-defined strings i already have.

Basically an EXCEPT operator between pre-defined strings vs search results should give me the results which did not appear in serach.

How do i do that ?

The query you mentioned above has the search at the outside which in my case needs to be inside

Re: Newbie doubt

richgalloway — Wed, 21 Oct 2020 13:41:36 GMT

My example query compares search results to an existing list of pre-defined strings you already have.

The NOT operator is the EXCEPT operator you seek.

Re: Newbie doubt

SoumyaSengupta9 — Wed, 21 Oct 2020 13:53:11 GMT

@richgalloway i want the final values from the pre-defined list of values which don't appear on the search - not the other way round.

Re: Newbie doubt

richgalloway — Thu, 22 Oct 2020 14:32:11 GMT

Are the pre-defined strings expect to be in a certain field in the search? I ask because while it's not possible to use

"foo" NOT [ search ..]

it is possible to do

| inputlookup strings.csv | fields foo | search foo NOT [ search ...]

but that means the pre-defined string would be expected to be in a field called 'foo'.