Get non matching ID's from first search

raghu0463 · ‎05-27-2021

Hi,

I'm trying to get non matching id's from first search to second search.

eg:

i have 10 id's from first search and only 5 id's are matching to second, i need to display the other non matching id's from first search

1st search 2nd search
ID name joined_date Cust_id name joined_date last_date
100 a 01/01/2000 100 a 01/01/2000 12/01/2001
150 b 02/01/2000 150 b 02/01/2000 12/01/2002
200 c 03/01/2000 200 c 03/01/2000 11/01/2001
250 d 04/01/2000 250 d 04/01/2000 10/01/2001
300 e 05/01/2000 300 e 05/01/2000 12/01/2005
350 f 05/01/2000
400 g 06/01/2000
450 h 06/01/2000
500 i 07/01/2000
550 j 08/01/2000

result set

ID name joined_date
350 f 05/01/2000
400 g 06/01/2000
450 h 06/01/2000
500 i 07/01/2000
550 j 08/01/2000

i have tried using NOT condition

index=abced_dev business=finance |dedup id
| table ID name joined_date
NOT

[search index=xxxyz business=audit
|dedup Cust_id
|rename Cust_id as ID
|table ID name joined_date]

|table ID name joined_date

Thanks

ITWhisperer · ‎05-27-2021

Is that NOT as part of a search?

index=abced_dev business=finance  |dedup id
| table ID name joined_date
| search NOT

[search index=xxxyz business=audit
|dedup Cust_id
|rename Cust_id as ID
|table ID name joined_date]

|table ID name joined_date

raghu0463 · ‎05-27-2021

Yes it’s part of search ,

I used NOT ( in place of not equal to)

ITWhisperer · ‎05-27-2021

Can you share the actual search query you are using to see if there is something else that might be wrong? Also, what is not working, are you getting events that you shouldn't or not getting events that you should?

Get non matching ID's from first search

alert action

alert condition

Introducing Splunk Enterprise Security 8.0!

Mastering Threat Hunting

Upcoming Community Maintenance: 10/28