https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97529#M25169 <P>I get around the limitation of <CODE>|search NOT [subsearch]</CODE> by putting the NOT in the subsearch.</P> <P><CODE>|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]</CODE></P> <P>This forces the query returned to use the NOT.</P> Wed, 17 Apr 2013 12:36:19 GMT alacercogitatus 2013-04-17T12:36:19Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97526#M25166 <P>Hi Guys,</P> <P>I have here 2 savedsearches, now i want to do a left outer join between both of them.<BR /> I'm using the following query:<BR /> <STRONG>| savedsearch "saved1" NOT [| savedsearch "saved2" | dedup accid | fields accid]</STRONG></P> <P>There seems to be a problem with the syntax.<BR /> Or is it not possible to use it with SavedSearch??</P> <P>Please Help.<BR /> Thanks!!</P> Wed, 17 Apr 2013 10:08:18 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97526#M25166 pradeep0802 2013-04-17T10:08:18Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97527#M25167 <P>The subsearch's results will be expanded to something like</P> <PRE><CODE>((accid="accid1") OR (accid="accid2") OR ... ) </CODE></PRE> <P>Which is incorrect syntax for the subsearch command. You probably want to use it with the search command.</P> <PRE><CODE>| savedsearch "saved1" | search NOT [| savedsearch "saved2" | dedup accid | fields accid] </CODE></PRE> Wed, 17 Apr 2013 10:51:07 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97527#M25167 Ayn 2013-04-17T10:51:07Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97528#M25168 <P>if i use <BR /> | search NOT<BR /> the resulted output is wrong</P> <P>o\p saved1 is 20 rows and saved2 is 14 rows, there are 12 rows common in both. what we need is 8 rows from saved1 that are not present in saved2.. But using | search NOT gives result similar to outer join. ie 20 rows of saved1</P> <P>what we are trying to achieve is similar to NOT IN clause in sql.</P> <P>Any suggestion where we be going wrong..</P> Wed, 17 Apr 2013 11:17:25 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97528#M25168 pradeep0802 2013-04-17T11:17:25Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97529#M25169 <P>I get around the limitation of <CODE>|search NOT [subsearch]</CODE> by putting the NOT in the subsearch.</P> <P><CODE>|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]</CODE></P> <P>This forces the query returned to use the NOT.</P> Wed, 17 Apr 2013 12:36:19 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97529#M25169 alacercogitatus 2013-04-17T12:36:19Z https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97530#M25170 <P>|savedsearch "saved1" [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]</P> <P>doesn't return anything<BR /> But,<BR /> |savedsearch "saved1" | search NOT [|savedsearch "saved2" | dedup accid| fields accid|format "NOT (" "(" "" ")" "OR" ")" ]</P> <P>gives matching rows from both savedsearches.</P> <P>but we need other unmatched rows from saved1.</P> <P>any suggestion..? or any other way we can achieve this.</P> Thu, 18 Apr 2013 04:56:21 GMT https://community.splunk.com/t5/Splunk-Search/Syntax-for-subsearches-for-using-NOT-function-btw-2/m-p/97530#M25170 pradeep0802 2013-04-18T04:56:21Z