topic Re: How to return results from Search1 which are not present in Search2? in Splunk Search

How to return results from Search1 which are not present in Search2?

cvreddy — Wed, 01 Jun 2016 10:56:53 GMT

I have two searches that will return common fields Event & UUID.
I have to get the results from the first search which are not present in the second search.

Search 1:

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server"

Search 2:

State="SendEmail" Action="After-SendEmail"

Can anyone provide the best search to find them?

Thanks in advance

Re: How to return results from Search1 which are not present in Search2?

sundareshr — Wed, 01 Jun 2016 12:38:40 GMT

Try this

State="ConsumeMessageFromRabbitMQ" Action="Received-From-RabbitMQ-Server" NOT [search State="SendEmail" Action="After-SendEmail" | dedup UUID | table UUID] | table Event UUID

Re: How to return results from Search1 which are not present in Search2?

cvreddy — Wed, 01 Jun 2016 14:17:27 GMT

I've to eliminate UUID's from first query which are present in second query.
With the given query I'm getting more records as expected.