https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260758#M176394 <P>any body advise me why the below query is not showing the the IP's whereas I am sure that there are some IP's who are bluecoat logs but not in websense logs:</P> <P>index=websense sourcetype=websense src NOT [search index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src ]</P> Thu, 20 Oct 2016 05:27:20 GMT rashid47010 2016-10-20T05:27:20Z https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260758#M176394 <P>any body advise me why the below query is not showing the the IP's whereas I am sure that there are some IP's who are bluecoat logs but not in websense logs:</P> <P>index=websense sourcetype=websense src NOT [search index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src ]</P> Thu, 20 Oct 2016 05:27:20 GMT https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260758#M176394 rashid47010 2016-10-20T05:27:20Z https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260759#M176395 <P>Isn't that your query is doing exactly opposite:</P> <PRE><CODE>Search IPs in websense log which are NOT in [ IPs in bluecoat logs] </CODE></PRE> <P>Shouldn't you be doing below if you want *<EM>some IP's who are bluecoat logs but not in websense logs:<BR /> *</EM>:</P> <PRE><CODE>Search IPs in bluecoat logs NOT in [ IPs in websense logs ] </CODE></PRE> Thu, 20 Oct 2016 05:52:49 GMT https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260759#M176395 gokadroid 2016-10-20T05:52:49Z https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260760#M176396 <P>To troubleshot your search start to try your single searches separately and see if there are values in both of them and values that aren't in both of them.</P> <UL> <LI>index=websense sourcetype=websense src</LI> <LI>index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src</LI> </UL> <P>In addition, verify that the field src is present in both the searches?</P> <P>The string "src" that you put before "NOT" means that in the first search you want to search also the word "src" or other?</P> <P>Bye.<BR /> Giuseppe</P> Thu, 20 Oct 2016 08:15:49 GMT https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260760#M176396 gcusello 2016-10-20T08:15:49Z https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260761#M176397 <P>the src field is common for both devices. and I check the logs individually. I have one use case that for sure he is bypassing websense control(means there are no logs on websense for that src IP)</P> <P>but still now showing any result:<BR /> my query is :</P> <P>index=websense sourcetype=websense NOT [search index=bcoat sourcetype="bluecoat:proxysg:access:file" | fields src ]</P> Thu, 20 Oct 2016 08:33:22 GMT https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260761#M176397 rashid47010 2016-10-20T08:33:22Z https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260762#M176398 <P>I am trying now with this query.<BR /> shortly I will update you with the results.</P> <P>index=bcoat sourcetype="bluecoat:proxysg:access:file" NOT [search index=websense | fields src ]</P> Thu, 20 Oct 2016 08:35:51 GMT https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260762#M176398 rashid47010 2016-10-20T08:35:51Z https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260763#M176399 <P>does your search run without "NOT"? what result you have?<BR /> Bye.<BR /> Giuseppe</P> Thu, 20 Oct 2016 08:43:06 GMT https://community.splunk.com/t5/Splunk-Search/coorelated-event/m-p/260763#M176399 gcusello 2016-10-20T08:43:06Z