How to use subsearch to find which values from a subsearch populated table aren't in another search?

brajaram — Tue, 08 May 2018 04:17:37 GMT

I have two seperate sourcetypes. In the first sourcetype, I have a field memberID that also exists in the second sourcetype.

The query I am using right now is:

index=...sourcetype=A.... [search index=... sourcetype=B... other filters | table memberID]

This correctly returns the memberID's in sourcetype A that exist in the subsearch in sourcetype B. However, not all memberID's returned in the table generated in the subsearch are returning in this combined search. I am trying to find out which memberIDs exist from the subsearch(sourcetype B) and do NOT exist in the primary search(sourcetype A).

If I do:

index=...sourcetype=A.... NOT [search index=... sourcetype=B... other filters | table memberID]

it just returns a large list of everything except all the memberIDs in the subsearch, but I want to specifically get the list of memberIDs from the subsearch that are not in the primary search.

Re: How to use subsearch to find which values from a subsearch populated table aren't in another search?

knielsen — Tue, 08 May 2018 07:21:11 GMT

Maybe this gives you what you want?

index=A sourcetype=A OR (index=B ...more filters) | chart count over memberID by index | where A=0 AND B>0

topic Re: How to use subsearch to find which values from a subsearch populated table aren't in another search? in Splunk Search

How to use subsearch to find which values from a subsearch populated table aren't in another search?

Re: How to use subsearch to find which values from a subsearch populated table aren't in another search?