https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695071#M236374 <P>You could try something like this</P><LI-CODE lang="markup">| tstats count where index=_internal OR index=* NOT [search index="_internal" source="*metrics.log*" group=tcpin_connections | stats count by hostname | rename hostname as host | table host] BY host</LI-CODE> Fri, 02 Aug 2024 11:10:26 GMT ITWhisperer 2024-08-02T11:10:26Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695059#M236367 <P>Good day, I am pretty new to Splunk and want a way to join two queries together.<BR /><BR />Query 1 - Gives me all of my assets</P> <LI-CODE lang="markup">| tstats count where index=_internal OR index=* BY host</LI-CODE> <P><BR /><BR />Query 2 - Give me all of my devices that ingest into the forwarder</P> <LI-CODE lang="markup">index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname | table date_hour, date_minute, date_mday, date_month, date_year, hostname, sourceIp, fwdType ,guid ,version ,build ,os ,arch | stats count</LI-CODE> <P><BR /><BR /><BR />How can I join this to create a query that will find all my devices (query1) and check if they have the forwarder installed(query2) and show me the results of devices that are not in query 2?</P> Fri, 02 Aug 2024 13:53:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695059#M236367 JandrevdM 2024-08-02T13:53:11Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695061#M236368 <P>The count is just used in my dashboard view and will be removed in initial query.</P><P>&nbsp;</P> Fri, 02 Aug 2024 09:45:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695061#M236368 JandrevdM 2024-08-02T09:45:18Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695071#M236374 <P>You could try something like this</P><LI-CODE lang="markup">| tstats count where index=_internal OR index=* NOT [search index="_internal" source="*metrics.log*" group=tcpin_connections | stats count by hostname | rename hostname as host | table host] BY host</LI-CODE> Fri, 02 Aug 2024 11:10:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695071#M236374 ITWhisperer 2024-08-02T11:10:26Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695101#M236390 <P>Thanks!<BR /><BR />I tried different ways but am unable to get this, if I want to add a line to check if the device is an azure VM how would I do this?<BR /><BR /></P> <PRE>| tstats count where index=_internal OR index=* NOT [search index="_internal" source="*metrics.log*" group=tcpin_connections | stats count by hostname | rename hostname as host | table host] BY host</PRE> <P>AND</P> <LI-CODE lang="markup">[ search index=db_cloud sourcetype="azure:compute:vm:instanceView" | rename host as host_changed | table host_changed] BY host</LI-CODE> <P><BR /><BR />I tried this but it does not work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>&nbsp;</P> Fri, 02 Aug 2024 13:52:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695101#M236390 JandrevdM 2024-08-02T13:52:38Z https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695102#M236391 <P>Have you tried it this way:</P><LI-CODE lang="markup">| tstats count where index=_internal OR index=* [ search index=db_cloud sourcetype="azure:compute:vm:instanceView" | stats count by host | table host ] NOT [search index="_internal" source="*metrics.log*" group=tcpin_connections | stats count by hostname | rename hostname as host | table host] BY host</LI-CODE> Fri, 02 Aug 2024 14:07:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-join-two-queries-and-show-not-contain-value/m-p/695102#M236391 ITWhisperer 2024-08-02T14:07:01Z