https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458607#M129483 <P>I know I am for sure over-complicating this. I need to find values that are in field x, that are not in field y.</P> <P>This is my first query:</P> <PRE><CODE>index=nitro_prod_loc_server earliest=-4h | stats values("locId") as All_Locs </CODE></PRE> <P>This returns all locations, it requires a 4 hour timespan</P> <P>This is my second query:</P> <PRE><CODE>index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number" | stats values("locId") as "Checked_Locs" </CODE></PRE> <P>This returns a list of locations that have been checked, it needs the time to be set to all time.</P> <P>I want a list of locations not found in the second query. Any suggestions?</P> Mon, 13 May 2019 21:00:23 GMT JoshuaJohn 2019-05-13T21:00:23Z https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458607#M129483 <P>I know I am for sure over-complicating this. I need to find values that are in field x, that are not in field y.</P> <P>This is my first query:</P> <PRE><CODE>index=nitro_prod_loc_server earliest=-4h | stats values("locId") as All_Locs </CODE></PRE> <P>This returns all locations, it requires a 4 hour timespan</P> <P>This is my second query:</P> <PRE><CODE>index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number" | stats values("locId") as "Checked_Locs" </CODE></PRE> <P>This returns a list of locations that have been checked, it needs the time to be set to all time.</P> <P>I want a list of locations not found in the second query. Any suggestions?</P> Mon, 13 May 2019 21:00:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458607#M129483 JoshuaJohn 2019-05-13T21:00:23Z https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458608#M129484 <P>Hi JoshuaJohn,</P> <P>you should not use <CODE>join</CODE> for reasons.</P> <P>You can use a <CODE>multireport</CODE> to do this, and this SPL is un-tested so you might have to modify it to match <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> <PRE><CODE>| multireport [ search index=nitro_prod_loc_server earliest=-4h | stats values("locId") as All_Locs ] [ search index=nitro_prod_loc_server appName="nitroCheck" bdy.addInfo{}.key="Serial Number" | stats values("locId") as "Checked_Locs" ] | streamstats count(index) AS c_idx | where c_idx &lt; 2 AND isnull(appName) </CODE></PRE> <P>This would assume you have no <CODE>appName</CODE> field returned from the first search.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Mon, 13 May 2019 21:12:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458608#M129484 MuS 2019-05-13T21:12:51Z https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458609#M129485 <P>Ah I do have an appName returned from the first field, it always returns something (regardless if its set to specifically return)</P> Tue, 14 May 2019 13:51:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458609#M129485 JoshuaJohn 2019-05-14T13:51:26Z https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458610#M129486 <P>Got it</P> <PRE><CODE>| multisearch [ search index=-### appName="NotifiCenter" earliest=-4h] [ search index=-### appName="NitroCheck" bdy.addInfo{}.key="Serial Number" ] | stats values(locId) as location distinct_count(locId) AS c_idx by appName | stats count(appName) as c_appName by location | where c_appName &lt; 2 | table location | sort location asc </CODE></PRE> Tue, 14 May 2019 15:25:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-unique-values-between-two-queries/m-p/458610#M129486 JoshuaJohn 2019-05-14T15:25:15Z