https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420591#M167728 <P>I am trying to find missing stores from query 2 in the below script. However, it returns no results, or all results depending on the search. For the purposes of my search, I know the correct result is one. Can you please assist me in my evaluations to get what I'm seeking? I've beeing trying this for days now. </P> <PRE><CODE>host=s*0009 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table nodiff StoreEDWFile StoreonMainframe </CODE></PRE> Thu, 23 Aug 2018 20:27:33 GMT benj851 2018-08-23T20:27:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420591#M167728 <P>I am trying to find missing stores from query 2 in the below script. However, it returns no results, or all results depending on the search. For the purposes of my search, I know the correct result is one. Can you please assist me in my evaluations to get what I'm seeking? I've beeing trying this for days now. </P> <PRE><CODE>host=s*0009 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table nodiff StoreEDWFile StoreonMainframe </CODE></PRE> Thu, 23 Aug 2018 20:27:33 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420591#M167728 benj851 2018-08-23T20:27:33Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420592#M167729 <P>I’ve tried using not before the sub query instead of the bool check at the end. It was also not successful </P> Thu, 23 Aug 2018 23:04:03 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420592#M167729 benj851 2018-08-23T23:04:03Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420593#M167730 <P>is it possible to get the small set of results of both queries?</P> Fri, 24 Aug 2018 09:31:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420593#M167730 vishaltaneja070 2018-08-24T09:31:40Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420594#M167731 <P>Using NOT and a subsearch: No results are returned for the subsearch when there should be 1200+. Each query should return 1200+ results:</P> <P>host=s02*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\pototo.exe" | dedup host | eval StoreEDWFile=substr(ComputerName,2,4) | sort StoreEDWFile | search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 <EM>CFT</EM> DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | sort StoreonMainframe | table StoreEDWFile StoreonMainframe</P> <P>returns only values for StoreEDWFile: </P> <P>StoreEDWFile StoreonMainframe<BR /> 0202<BR /><BR /> 0203<BR /><BR /> 0204<BR /><BR /> 0205 </P> <P>This is a problem because StoreEDWFile is not in question. StoreonMainframe should have been missing </P> Tue, 29 Sep 2020 20:59:42 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420594#M167731 benj851 2020-09-29T20:59:42Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420595#M167732 <P>This should return one result on StoreonMainframe; but the only results returned are for nodiff. When you view the results they are related to StoreCallEDW.<BR /> host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\program\Bin\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | sort StoreCallEDW |search NOT [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 <EM>CFT</EM> DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4) | Sort StoreonMainframe] | eval nodiff=if(match(StoreCallEDW,StoreonMainframe), "True", "False")| table nodiff StoreEDWFile StoreonMainframe</P> <P>Results:<BR /> nodiff StoreEDWFile StoreonMainframe<BR /> False<BR /><BR /> False<BR /><BR /> False</P> Tue, 29 Sep 2020 20:59:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420595#M167732 benj851 2020-09-29T20:59:45Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420596#M167733 <PRE><CODE>In this example I'm simply asking for results for each query but I get no results: host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | search [ search index=mainframe host=MVSB* MFSOURCETYPE=SMF080 *CFT* DEFINE_RESOURCE="SUCCESSFUL_DEFINITION" | spath RESOURCE_NAME | search RESOURCE_NAME="EDWABP.V15.TLOG.DATA.*" | eval StoreonMainframe=substr(RESOURCE_NAME,29,4)] | table StoreEDWFile StoreonMainframe </CODE></PRE> <P>Result: <BR /> No Results found</P> Fri, 24 Aug 2018 18:00:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420596#M167733 benj851 2018-08-24T18:00:12Z https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420597#M167734 <P>Here is just the first query, the query that must have something in order for the subquery to <EM>possibly</EM> have something: </P> <PRE><CODE>host=s008*0004 Type=Information EventCodeDescription="A new process has been created" New_Process_Name="D:\\Program\\Bin\\potato.exe" | dedup host | eval StoreCallEDW=substr(ComputerName,2,4) | table StoreCallEDW </CODE></PRE> <P>Results are: </P> <P>StoreCallEDW<BR /> 0084<BR /> 0086<BR /> 0080</P> Fri, 24 Aug 2018 18:02:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-find-missing-information-from-query-2-and-query-1/m-p/420597#M167734 benj851 2018-08-24T18:02:18Z