topic Re: not able to merge 2 queries to get the desired result in Splunk Search

not able to merge 2 queries to get the desired result

vinitpathri — Tue, 06 Apr 2021 08:26:22 GMT

I have 2 queries

1st is

| rest /services/data/indexes
| fields title
| dedup title
| table title

this query is giving me all the indexes in my environment

2nd query is

this is giving me all the indexes on which any savedsearch is created.

Now i want to see the remove the 2nd query set from 1st and just wanted to see the indexes on which there are no savedsearches in the environment.

I have tried placing "NOT" between the queries but not able to get the desired result.

Please help

Thanks in advance.

Re: not able to merge 2 queries to get the desired result

ITWhisperer — Tue, 06 Apr 2021 08:36:28 GMT

Re: not able to merge 2 queries to get the desired result

vinitpathri — Mon, 12 Apr 2021 08:42:02 GMT

Thanks for your quick reply but the above query is not giving the exact required result (i am getting few of the indexes/feeds on which there is no savedsearch but not all)

Re: not able to merge 2 queries to get the desired result

scelikok — Mon, 12 Apr 2021 08:58:08 GMT

Hi @vinitpathri,

Your first query outputs titles event rex does not match, please try below, I filtered internal indexes and also index=* searches;

Re: not able to merge 2 queries to get the desired result

ITWhisperer — Mon, 12 Apr 2021 09:40:17 GMT

I guess there are a couple of things to try. Firstly, depending on your searches, you may or may not use double quotes around index names, so trim those. Secondly, again depending on your searches, you may be searching more than one index, so use max_match=0. Finally, title is returned by saved/searches so you should probably override that with the index name found.