topic How to only return subsearch results which are not available on main search? in Splunk Search

How to only return subsearch results which are not available on main search?

splunkxorsplunk — Fri, 29 Jul 2022 23:24:41 GMT

I have two indexes which include same data in a different fields as seen below.

index1 -- user, fileName, ...etc

index2 -- event.file, actor

user = actor and fileName = event.file

The following search gives me if a user and their file in index2 is available in the index1, but I dont need this since I know they should be included in index1

What I am trying to find is : If a user and their file in index2 is NOT available in the index1, I wanna list them out.

Thanks for help

index="index1"

[search index="index2" "event"=event2 event.file="something_*"

| table event.file, actor
| rename event.file as fileName, actor as user
]

| table actor

Re: Only return subsearch results which are not available on main search

richgalloway — Fri, 29 Jul 2022 20:54:37 GMT

Swap the searches and you should get what you're looking for.

index="index2" NOT [search index="index1" "event"=event2 fileName="something_*" | fields fileName user | rename fileName as event.file, user as actor | format ] | table actor

Re: Only return subsearch results which are not available on main search

splunkxorsplunk — Fri, 29 Jul 2022 21:28:10 GMT

Thanks for solution recommendations!

My initial pivot point should be index2 since index1 includes all files and actors. if a user and associated file is available in index2 but not index1, that is what I am looking for.