https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528574#M149260 <P>OK I have been reading most of the morning and I have to just be missing something very simple.</P><P>To explain what I am trying to do.</P><P>1. Lets take the simple query index=* host=*test*|dedup host|table host</P><P>This will obviously give me a unique list of hosts.</P><P>2. Second Query index=* host=*test* "Bleebles"|dedup host|table host</P><P>This query will give me a unique list of hosts where the string "Bleebles" was found. (Obviously this is just example data)</P><P>What I am trying (And failing) at is marrying these two queries up, and returning ONLY hostnames that DO NOT return records with the string "Bleebles" but of course issue #1 is when I invert the logic on search #2 I get EVERY record that has been splunked and doesn't match (Which is literally all the data)&nbsp;</P><P>Can anyone help with the logic I am missing here, using the two very basic queries above how would I first generate the full host list (That's the easy part) but then print a deduped list of hostnames that did NOT return a result in query #2, thereby giving me an exceptions list?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Nov 2020 18:01:44 GMT mmccaugh9472 2020-11-09T18:01:44Z https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528574#M149260 <P>OK I have been reading most of the morning and I have to just be missing something very simple.</P><P>To explain what I am trying to do.</P><P>1. Lets take the simple query index=* host=*test*|dedup host|table host</P><P>This will obviously give me a unique list of hosts.</P><P>2. Second Query index=* host=*test* "Bleebles"|dedup host|table host</P><P>This query will give me a unique list of hosts where the string "Bleebles" was found. (Obviously this is just example data)</P><P>What I am trying (And failing) at is marrying these two queries up, and returning ONLY hostnames that DO NOT return records with the string "Bleebles" but of course issue #1 is when I invert the logic on search #2 I get EVERY record that has been splunked and doesn't match (Which is literally all the data)&nbsp;</P><P>Can anyone help with the logic I am missing here, using the two very basic queries above how would I first generate the full host list (That's the easy part) but then print a deduped list of hostnames that did NOT return a result in query #2, thereby giving me an exceptions list?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Nov 2020 18:01:44 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528574#M149260 mmccaugh9472 2020-11-09T18:01:44Z https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528587#M149263 <P>OK I think I may have finally figured this out, posting what I did in case anyone else comes across this down the line.</P><P>&nbsp;</P><P>index=* host=*test* | join type=outer host [ search index=* host=*test* "Bleebles" | stats count by host ] | where isnull(count) | dedup host | table host | sort by host</P><P>This appears to be working so far!</P><P>&nbsp;</P> Mon, 09 Nov 2020 18:28:06 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528587#M149263 mmccaugh9472 2020-11-09T18:28:06Z https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528675#M149264 <LI-CODE lang="markup">index=* host=*test* | where not match(_raw,"Bleebles")|dedup host|table host</LI-CODE> Mon, 09 Nov 2020 19:21:18 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528675#M149264 ITWhisperer 2020-11-09T19:21:18Z https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528732#M149270 <P>This one still gives me the entire list (Not just the exceptions) but what I wrote does work, I just need to figure out why it takes so long to run and what I can do to improve it.</P><P>But at least it is accurate which is a start!&nbsp;</P> Mon, 09 Nov 2020 20:12:22 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528732#M149270 mmccaugh9472 2020-11-09T20:12:22Z https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528737#M149275 <P>Try something like this:</P><P>&nbsp;</P><LI-CODE lang="markup">index=* host=*test* | eval hasString=if(match(_raw,"Bleebles"),1,0) | stats max(hasString) as hasString by host | where hasString=0 |table host</LI-CODE> Mon, 09 Nov 2020 20:33:37 GMT https://community.splunk.com/t5/Splunk-Search/Nested-Search-Question/m-p/528737#M149275 somesoni2 2020-11-09T20:33:37Z