https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540749#M153032 <P>This worked. Thank you very much&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a></P> Mon, 22 Feb 2021 02:02:45 GMT Joe20 2021-02-22T02:02:45Z https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540689#M152987 <P>I have events with two keys <STRONG>area</STRONG> and <STRONG>errortext</STRONG>. Sample event below:&nbsp;</P><P>&nbsp;</P><P><SPAN>[</SPAN><SPAN class="t">2021-02-20</SPAN> <SPAN class="t">19:27:37.599</SPAN> <SPAN class="t">GMT</SPAN><SPAN>] </SPAN><SPAN class="t">ERROR</SPAN> <SPAN class="t">Servlet</SPAN><SPAN>|test-event</SPAN><SPAN>|</SPAN><SPAN>&nbsp;<STRONG>element</STRONG></SPAN><SPAN class="t">=PlaceOrder</SPAN><SPAN>,</SPAN><SPAN class="t">routine=start</SPAN><SPAN>,</SPAN><SPAN class="t">receiptNumber=000006</SPAN><SPAN>,</SPAN><SPAN class="t"><STRONG><SPAN class="t a">errortext</SPAN></STRONG>=</SPAN><SPAN>"</SPAN><SPAN class="t">Initiating</SPAN> <SPAN class="t">ReversePayments</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">Order</SPAN><SPAN>, </SPAN><SPAN class="t">Reason:</SPAN> <SPAN class="t">Inventory</SPAN> <SPAN class="t">reservation</SPAN> <SPAN class="t">failed"</SPAN></P><P>I need to find :</P><P>1. unique events that match <STRONG>element</STRONG> and <STRONG>errortext</STRONG> values for a time window -1</P><P>2. find the same unique events for a time window-2&nbsp; then&nbsp;</P><P>3. find events that are present in time window-1 and NOT in time window-2&nbsp;</P><P>To find unique events in time-window-1&nbsp; --I am using the below query.&nbsp;</P><P>&nbsp;</P><PRE>index=dev sourcetype!=warn <STRONG>element</STRONG> AND <STRONG>errortext</STRONG> earliest=@w5 latest=+7d@w6 | dedup <STRONG>element,errortext</STRONG> | table&nbsp;<STRONG>element,errortext</STRONG></PRE><P>&nbsp;I am trying to use search and NOT but not able do so in this case.&nbsp;</P><PRE>SearchOne NOT [ SearchTwo&nbsp;]</PRE><P>&nbsp;</P> Sun, 21 Feb 2021 03:31:57 GMT https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540689#M152987 Joe20 2021-02-21T03:31:57Z https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540691#M152989 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231267">@Joe20</a>&nbsp;</P><P>Using an example time window of 24 hours, try:</P><P>element=* errortext=* earliest=-24h latest=now NOT [&nbsp;element=* errortext=* earliest=-48h latest=-24h | table element errortext ]</P><P>This will return events over the last 24 hours with key field combinations (element AND errortext) that were not present between 48 and 24 hours ago.</P><P>You may want to review timestamp extractions and time zone offsets if you frequently need to search for future times, e.g. <A href="mailto:+7d@w6," target="_blank">+7d@w6,</A>&nbsp;and those future times are not be design.</P> Sun, 21 Feb 2021 05:07:40 GMT https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540691#M152989 tscroggins 2021-02-21T05:07:40Z https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540749#M153032 <P>This worked. Thank you very much&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/49493">@tscroggins</a></P> Mon, 22 Feb 2021 02:02:45 GMT https://community.splunk.com/t5/Splunk-Search/Find-unique-events-in-one-search-and-NOT-the-other/m-p/540749#M153032 Joe20 2021-02-22T02:02:45Z