All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

how to implement minus query in splunk?

meenal901
Communicator
‎10-16-2013 12:35 AM

Hi,

I have a lookup file which contains names of all services. From my logs, i get the current active/failed services. I want to find out the services which did not generate the logs. From SQL, i can implement a minus query to find out the difference in lookup and actual logs.
How to do this in Splunk?
I have tried set diff, but it is not giving the expected output.

Thanks,
Meenal

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-16-2013 01:04 AM

Hi meenal901

given your lookup table is like this:

my_name, my_description
foo_name, this is used for logging

get the entries from the lookup table first, filter it based on which host you are seeing in the system logs. Let's say your lookup table is called my_lookup.csv, the relevant logs have sourcetype my_systemlogs and that the field my_name exists in those log events. In that case, this search should get you going:

| inputlookup my_lookup.csv | search NOT [search sourcetype="my_systemlogs" | dedup my_name | fields my_name]

hope this helps or gets you starting to find the result you're looking for

cheers,

MuS

View solution in original post

Reply
Solved! Jump to solution

adityapavan18
Contributor
‎10-16-2013 07:11 AM

May be you can try something like this(definetly not optimized solution but get does the job)

<search> | stats count by service | table service | append[|inputlookup allservices.csv|table service] | stats count by service | where count = 1

will provide all services for which logs are not generated.

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎10-16-2013 01:04 AM

Hi meenal901

given your lookup table is like this:

my_name, my_description
foo_name, this is used for logging

get the entries from the lookup table first, filter it based on which host you are seeing in the system logs. Let's say your lookup table is called my_lookup.csv, the relevant logs have sourcetype my_systemlogs and that the field my_name exists in those log events. In that case, this search should get you going:

| inputlookup my_lookup.csv | search NOT [search sourcetype="my_systemlogs" | dedup my_name | fields my_name]

hope this helps or gets you starting to find the result you're looking for

cheers,

MuS

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...