https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432539#M123592 <P>I think,you need to try subsearch in this case:<BR /> like</P> <PRE><CODE> index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user] </CODE></PRE> <P>OR </P> <PRE><CODE> index=windows NOT macro1 | search NOT [`macro2` ] </CODE></PRE> <P>MACRO2:</P> <PRE><CODE> search index=windows "failed" | where src_user=user </CODE></PRE> Wed, 30 Jan 2019 08:31:37 GMT vishaltaneja070 2019-01-30T08:31:37Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432533#M123586 <P>Hi,</P> <P>I would like to display results if both user and src_user field is match but it shows an "unbalanced parentheses" error.</P> <P>Main search:<BR /> index=windows ...... NOT (<CODE>same_login_macro</CODE>)<BR /> | table src_user, user</P> <P>Macro for <CODE>same_login_macro</CODE>:<BR /> "<EM>failed</EM>" | where src_user=user</P> <P>Can someone help - how to return search result when value of both field matched using "where" or other workable method for us in macro?</P> Wed, 30 Jan 2019 04:40:58 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432533#M123586 SplunkNewbie18 2019-01-30T04:40:58Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432534#M123587 <P>Hello @SplunkNewbie18</P> <P>Try this: index=windows ...... NOT <CODE>same_login_macro</CODE><BR /> | table src_user, user</P> Wed, 30 Jan 2019 06:24:24 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432534#M123587 vishaltaneja070 2019-01-30T06:24:24Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432535#M123588 <P>Hmm...nope it doesnt work. Returns me 0 result. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> im using the macros as whitelisting concept to exclude events from the results.</P> Wed, 30 Jan 2019 07:51:39 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432535#M123588 SplunkNewbie18 2019-01-30T07:51:39Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432536#M123589 <P>As per the macro definition, this will be the search<BR /> index=windows ...... NOT "failed" | where src_user=user<BR /> | table src_user, user</P> <P>This will be search which is running in background. could you please let me the exact requirement. What is required as the above search is " Searching for events in windows index, then filter the events which is not having "failed" keyword and the searching for events where sec_user = user"</P> Tue, 29 Sep 2020 23:00:41 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432536#M123589 vishaltaneja070 2020-09-29T23:00:41Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432537#M123590 <P>can u explain in depth what do u want</P> Wed, 30 Jan 2019 08:09:50 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432537#M123590 harishalipaka 2019-01-30T08:09:50Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432538#M123591 <P>I have mutiple macros in the main search but simplyfying it for illustartion purposes. For instance:</P> <P><STRONG>Main search</STRONG><BR /> index=windows NOT <CODE>macro1</CODE> NOT <CODE>macro2</CODE></P> <P><STRONG>Macro 1</STRONG><BR /> "success" user="admin"</P> <P><STRONG>Macro 2</STRONG><BR /> "failed" | where src_user=user</P> <P>If you suggest to put NOT <CODE>macro2</CODE> it will not work as they will perform the NOT condition and then followed by where -&gt; (NOT "failed") | where src_user=user. Whereas what im looking for is NOT the results found in ("failed" | where src_user=user).</P> Tue, 29 Sep 2020 22:59:06 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432538#M123591 SplunkNewbie18 2020-09-29T22:59:06Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432539#M123592 <P>I think,you need to try subsearch in this case:<BR /> like</P> <PRE><CODE> index=windows NOT `macro1` | search NOT [ search index=windows "failed" | where src_user=user] </CODE></PRE> <P>OR </P> <PRE><CODE> index=windows NOT macro1 | search NOT [`macro2` ] </CODE></PRE> <P>MACRO2:</P> <PRE><CODE> search index=windows "failed" | where src_user=user </CODE></PRE> Wed, 30 Jan 2019 08:31:37 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432539#M123592 vishaltaneja070 2019-01-30T08:31:37Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432540#M123593 <P>Ohhh great! It workss. Thanks vishal!</P> Thu, 31 Jan 2019 05:56:21 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432540#M123593 SplunkNewbie18 2019-01-31T05:56:21Z https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432541#M123594 <P>@SplunkNewbie18 </P> <P>No Problem <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Can you please accept the answer to close the thread.</P> Thu, 31 Jan 2019 06:26:49 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-matching-fields-in-macro/m-p/432541#M123594 vishaltaneja070 2019-01-31T06:26:49Z