topic Re: how to exclude the subsearch result from main search in Splunk Search

how to exclude the subsearch result from main search

ycho1 — Wed, 27 Oct 2021 01:37:19 GMT

hello,

Can anyone tell me how to exclude the subsearch result from main search?
I want to exclude the result that failed at 1st attempt, but later the person purchased successfully.

I only want to capture PURCHASEID(s) that failed and has not been able to purchase yet.

Here's my pseudo code that I am trying to accomplish

index=main sourcetype="access_combined_wcookie" AND ("*TIME_OUT*")
| rex field=_raw "\[(?<PURCHASEID>\d{12}\-\d{3})\]"
| search NOT [ search index=main sourcetype="access_combined_wcookie" AND ("*Successfully Ordered*")"
| rex field=_raw "\[(?<PURCHASEID>\d{12}\-\d{3})\]" | table PURCHASEID]
| table PURCHASEID, _raw
| dedup PURCHASEID
| sort +PURCHASEID

Re: how to exclude the subsearch result from main search

PickleRick — Wed, 27 Oct 2021 06:02:59 GMT

You could try it with subsearch and exclusion (you'd need to enclose the subsearch in parentheses though) but it will be highly inefficient. If you can corelate on a particular field (and I can see you want to use PURCHASEID for this), use either selfjoin, transaction or even simple stats to group your events.

Re: how to exclude the subsearch result from main search

ycho1 — Wed, 27 Oct 2021 14:30:35 GMT

Can you provide me a good example on how to write selfjoin or other solution with my intention if you are willing to help?

Re: how to exclude the subsearch result from main search

isoutamo — Wed, 27 Oct 2021 15:36:13 GMT

Maybe this helps https://conf.splunk.com/files/2019/slides/FNC2751.pdf

Re: how to exclude the subsearch result from main search

ycho1 — Thu, 28 Oct 2021 18:08:23 GMT

Is there any other suggestion?

I have not made much progress on this, I was looking for some examples with selfjoin, transaction or stats commad, it won't go anywhere.