https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436307#M124354 <P>Try this:</P> <PRE><CODE>index=MySearch1 NOT [search index=MySearch2 | stats count BY RefToMessageID | table RefToMessageID | rename RefToMessageID AS MessageID] | stats count BY MessageID | dedup MessageID | table MessageID | rename MessageID AS messageid </CODE></PRE> Thu, 02 May 2019 04:38:41 GMT woodcock 2019-05-02T04:38:41Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436305#M124352 <P>I have made two indexes and set the values into a table. How can i find a value from table1 in table2 and present de value wich is not found in table2.<BR /> In table 2 are more results as in table1. I just want to see the value from table1 wich is not found in table2.</P> <P>This is my search:</P> <PRE><CODE>index=MySearch1 | stats by MessageID | dedup MessageID | table MessageID | rename MessageID as messageid | append [search index=MySearch2" | stats by RefToMessageID | dedup RefToMessageID | table RefToMessageID | sort -_time] | rename RefToMessageID as reftomessageid | foreach messageid [eval match=if(messageid!=reftomessageid, "NOK", "OK")] | stats values(messageid) values(reftomessageid) values(match) </CODE></PRE> <P>Only one value(match) gives "OK", the others are empty. What am i doing wrong?</P> Wed, 01 May 2019 10:52:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436305#M124352 sjansma 2019-05-01T10:52:31Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436306#M124353 <P>@sjansma </P> <P>Can you please try this?</P> <PRE><CODE>index=MySearch1 | stats count by MessageID | eval flag=1 | append [ search index=MySearch2 | stats count by RefToMessageID | rename RefToMessageID as MessageID | eval flag=2] | stats values(flag) as flag by MessageID | where flag=2 AND flag!=1 </CODE></PRE> <P>Thanks</P> Wed, 01 May 2019 11:50:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436306#M124353 kamlesh_vaghela 2019-05-01T11:50:31Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436307#M124354 <P>Try this:</P> <PRE><CODE>index=MySearch1 NOT [search index=MySearch2 | stats count BY RefToMessageID | table RefToMessageID | rename RefToMessageID AS MessageID] | stats count BY MessageID | dedup MessageID | table MessageID | rename MessageID AS messageid </CODE></PRE> Thu, 02 May 2019 04:38:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436307#M124354 woodcock 2019-05-02T04:38:41Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436308#M124355 <P>Hi @sjansma,</P> <P>What you're trying to do is very ressource intensive, better avoid using <CODE>append</CODE> and subsearches when possible.</P> <P>Try this one liner :</P> <PRE><CODE> index=MySearch1 OR index=MySearch2 | stats count values(index) as index by MessageID | search NOT index=MySearch2 </CODE></PRE> <P>What this does is grab all events from both indexes, checks the number of time each messageID appeared and in which source it was shown, then finally gives all the events that are not in MySearch2 but are in MySearch1.</P> <P>Let me know if this helps !</P> <P>Cheers,<BR /> David</P> Thu, 02 May 2019 07:17:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436308#M124355 DavidHourani 2019-05-02T07:17:04Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436309#M124356 <P>This is working. But in the answer of @DavidHourani he says thats it's better not to use 'append' because it should be very resource intensive. ??</P> Wed, 08 May 2019 10:01:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436309#M124356 sjansma 2019-05-08T10:01:22Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436310#M124357 <P>This is not working. I got no result where i expect result. Maybe due to that for both searches i use the same index. Search1 gives must give al list with MessageID's , search2 give al iist with RefToMessageID's. I am looking for the MessageID's wich has not a RefToMessageID (MessageID = RefToMessageID)</P> Wed, 08 May 2019 10:01:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436310#M124357 sjansma 2019-05-08T10:01:29Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436311#M124358 <P>This is working</P> Wed, 08 May 2019 10:01:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436311#M124358 sjansma 2019-05-08T10:01:58Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436312#M124359 <P>oh, okay my search will only works for two different indexes. If both are in the same index then @woodcock's answer is the way to go <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span> </P> Wed, 08 May 2019 10:25:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-value-from-index1-table1-in-index2-table2/m-p/436312#M124359 DavidHourani 2019-05-08T10:25:15Z