https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175478#M186652 <P>Am I missing something though? I want everything in the 1st list that is NOT in the 2nd list. Shouldn't I be using the NOT search?</P> Wed, 11 Dec 2013 19:47:26 GMT andrewkenth 2013-12-11T19:47:26Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175475#M186649 <P>I can't beleive I'm coming to Answers to ask this as I've done it many times before but I must be missing something that I'm hoping you can help me find.</P> <P>I have a list of events by user and date and I want to show any of those user/date combiation not in the list of user date combinations below:</P> <P>List of Events with Users (and Date)</P> <PRE><CODE>index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName </CODE></PRE> <P>List of Allowed Users (and Date)</P> <PRE><CODE>index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date, UserName index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName | search NOT [ search index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date, UserName ] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date </CODE></PRE> <P>My raw data and props.conf look like this:</P> <PRE><CODE>"TimeStamp","ServerName","HostName","DBName","UserName","LoginType","AssociatedRole" "Dec 10 2013 12:36AM","426420-SQLCLUS1","426099-WELLDB1","ConfigLogging","dbo","WINDOWS_USER","db_owner" NO_BINARY_CHECK = 1 pulldown_type = 1 HEADER_MODE = firstline FIELD_DELIMITER=, FIELD_QUOTE=" TIME_FORMAT=%b %d %Y %H:%M%p TIMESTAMP_FIELDS=TimeStamp </CODE></PRE> Wed, 11 Dec 2013 17:50:13 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175475#M186649 andrewkenth 2013-12-11T17:50:13Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175476#M186650 <P>What do the results look like when you run the searches separately. Ok?</P> Wed, 11 Dec 2013 18:13:19 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175476#M186650 kristian_kolb 2013-12-11T18:13:19Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175477#M186651 <P>Try following</P> <PRE><CODE>index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by SqlServerLogon | rename SqlServerLogon as UserName |search [index=charlesriver (sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users) | bucket span=1d _time| stats first(_time) as Date by UserName] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date </CODE></PRE> Wed, 11 Dec 2013 18:15:31 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175477#M186651 somesoni2 2013-12-11T18:15:31Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175478#M186652 <P>Am I missing something though? I want everything in the 1st list that is NOT in the 2nd list. Shouldn't I be using the NOT search?</P> Wed, 11 Dec 2013 19:47:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175478#M186652 andrewkenth 2013-12-11T19:47:26Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175479#M186653 <P>They do appear to be correct. Only when I combine them do I see unexpected results.</P> Wed, 11 Dec 2013 20:08:22 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175479#M186653 andrewkenth 2013-12-11T20:08:22Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175480#M186654 <P>what if you use <CODE>fields + Date, Username</CODE> instead of <CODE>table</CODE> at the end of the subsearch</P> Wed, 11 Dec 2013 20:12:52 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175480#M186654 kristian_kolb 2013-12-11T20:12:52Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175481#M186655 <P>...and perhaps I should ask, 'unexpected how?'?</P> Wed, 11 Dec 2013 20:15:42 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175481#M186655 kristian_kolb 2013-12-11T20:15:42Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175482#M186656 <P>No, I have missed it. Please include NOT after "search" command in line 5 of search.</P> Wed, 11 Dec 2013 21:07:16 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175482#M186656 somesoni2 2013-12-11T21:07:16Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175483#M186657 <P>Unexpected meaning I almost always have a match and this search shows that there are never matches. I can manually find the same Date/UserName combination value in each list.</P> Wed, 11 Dec 2013 22:00:42 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175483#M186657 andrewkenth 2013-12-11T22:00:42Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175484#M186658 <P>try including the trim search command in the usernames to see if there are spaces after them.</P> <P>Eval UserName=trim(SqlServerLogon)<BR /><BR /> Eval UserName=trim(UserName)</P> Thu, 12 Dec 2013 14:32:57 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175484#M186658 aelliott 2013-12-12T14:32:57Z https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175485#M186659 <P>Something seemed to have been wrong with my search string as this works:</P> <PRE><CODE>index=charlesriver (sourcetype=SQLAPP_Events OR sourcetype=SQLRPT_Events) "Login succeeded for user " | bucket span=1d _time | stats count first(_time) as Date by _time, SqlServerLogon | rename SqlServerLogon as UserName | table Date UserName count | search NOT [ search index=charlesriver sourcetype=SqlServer_AppDB_Users OR sourcetype=SqlServer_RptDB_Users | bucket span=1d _time | stats count first(_time) as Date by _time, UserName | table Date UserName | sort -Date ] | eval Date=strftime(Date,"%m/%d/%Y") | table Date, UserName, count | sort -Date </CODE></PRE> Thu, 12 Dec 2013 15:36:32 GMT https://community.splunk.com/t5/Splunk-Search/Need-Help-With-Simple-NOT-Search/m-p/175485#M186659 andrewkenth 2013-12-12T15:36:32Z