https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592669#M206295 <P>I have 2 Splunk Queries&nbsp;</P><P>First Query will return the Employee ID of the Active and Retired Employees.</P><P>Second Query will return the Employee ID of the retired Employees.</P><P>&nbsp;</P><P>I want to merge both the queries to get the result of only the Active employees.&nbsp;</P><P>by removing the Retired_Employee_ID from the list of&nbsp;Employee_Id</P><P>Query1)</P><P>index=employee_data |<FONT color="#008000"><EM> rex field=_raw&nbsp;&lt;regular expression used to extract Employee_ID&gt;offset_field=_extracted_fields_bounds</EM></FONT> | table Employee_Id</P><P><BR />Query2)</P><P>index=employee_data |<EM><FONT color="#008000"> rex field=_raw&nbsp;&lt;regular expression used to extract Retired_Employee_ID&gt;offset_field=_extracted_fields_bounds</FONT> </EM>| table Retired_Employee_ID</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Apr 2022 14:00:45 GMT ngautam760 2022-04-06T14:00:45Z https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592669#M206295 <P>I have 2 Splunk Queries&nbsp;</P><P>First Query will return the Employee ID of the Active and Retired Employees.</P><P>Second Query will return the Employee ID of the retired Employees.</P><P>&nbsp;</P><P>I want to merge both the queries to get the result of only the Active employees.&nbsp;</P><P>by removing the Retired_Employee_ID from the list of&nbsp;Employee_Id</P><P>Query1)</P><P>index=employee_data |<FONT color="#008000"><EM> rex field=_raw&nbsp;&lt;regular expression used to extract Employee_ID&gt;offset_field=_extracted_fields_bounds</EM></FONT> | table Employee_Id</P><P><BR />Query2)</P><P>index=employee_data |<EM><FONT color="#008000"> rex field=_raw&nbsp;&lt;regular expression used to extract Retired_Employee_ID&gt;offset_field=_extracted_fields_bounds</FONT> </EM>| table Retired_Employee_ID</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Apr 2022 14:00:45 GMT https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592669#M206295 ngautam760 2022-04-06T14:00:45Z https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592670#M206296 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237054">@ngautam760</a>,</P><P>please try soimething like this:</P><LI-CODE lang="markup">index=employee_data Employee_ID="*" NOT Retired_Employee_ID="*" | table Retired_Employee_ID</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 06 Apr 2022 12:29:23 GMT https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592670#M206296 gcusello 2022-04-06T12:29:23Z https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592675#M206301 <P>I think Giuseppe meant</P><LI-CODE lang="markup">index=employee_data Employee_ID="*" NOT Retired_Employee_ID="*" | table Employee_ID</LI-CODE> Wed, 06 Apr 2022 12:49:37 GMT https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592675#M206301 ITWhisperer 2022-04-06T12:49:37Z https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592676#M206302 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/237054">@ngautam760</a>,</P><P>if you do't have the fields&nbsp;Employee_ID and Retired_Employee_ID, you have two choices:</P><UL><LI>create a permanent field extraction using your regexes, so you'll have both the fields and you can use my regex,</LI><LI>insert the filters on the fields after the rex extraction, something like this:</LI></UL><LI-CODE lang="markup">index=employee_data | rex "Employee_ID_extraction" | rex "Retired_Employee_ID" | search Employee_ID="*" NOT Retired_Employee_ID="*" | table Retired_Employee_ID</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 06 Apr 2022 12:50:03 GMT https://community.splunk.com/t5/Splunk-Search/Remove-record-from-Query1-if-present-in-Query2/m-p/592676#M206302 gcusello 2022-04-06T12:50:03Z