topic Re: NOT Search is not giving the expected result in Splunk Search

NOT Search is not giving the expected result

ajees_basha — Thu, 17 Sep 2020 10:18:02 GMT

i am trying the exclude the events in the sub search query using Search NOT. It is not returning the expected result.

in this i am trying to exclude "system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod" events. Both the logs are are coming from 2 different system..callback is the common field between two search queries.

Query:

environment=PROD system=API1 Message="API l logs"|dedup callbacknumber
| search NOT [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod ]| table callbacknumber

Any help will be highly appreciated

Re: NOT Search is not giving the expected result

ajees_basha — Thu, 17 Sep 2020 10:20:26 GMT

niketnilay @IRHM73

Re: NOT Search is not giving the expected result

thambisetty — Thu, 17 Sep 2020 11:42:55 GMT

environment=PROD system=API1 Message="API l logs"|stats count as events_count by callbacknumber | append [search system=APICleanUp callbacknumber=* Message="API Success" sourcetype=application_prod | stats count as subevents_count by callbacknumber] | stats values(*) as * by callbacknumber | where isnotnull(events_count) AND isnull(subevents_count)

Re: NOT Search is not giving the expected result

ajees_basha — Thu, 17 Sep 2020 13:48:50 GMT

Thanks for your time @thambisetty ..sorry it is not giving the expected result.

Basically i would like to see the callback numbers which should have the log Message="API 1 logs" and should not have the log Message= "API Success".

first Message="API 1 logs" event will happen in the system=API1 followed by the event Message= "API Success" in the system=APICleanUp.

Re: NOT Search is not giving the expected result

thambisetty — Thu, 17 Sep 2020 13:55:27 GMT

but callbacknumber is unique for both right ?

Re: NOT Search is not giving the expected result

ajees_basha — Fri, 18 Sep 2020 00:54:23 GMT

yes it is unique in both the queries

Re: NOT Search is not giving the expected result

thambisetty — Fri, 18 Sep 2020 08:08:25 GMT

then my query should definitely work. if you can give more details I can troubleshoot. like sample event of two data sets and extracted fields and used fields in search.