Splunk Search

Set operator

ronak
Path Finder

I've tried using SET operator to find all the users who satisfy first condition but are not present in second search with different condition...below is an example query..

given set operator's limit of 10k records, I'm trying to find the best way to implement SET operations especially DIFF

Any pointers would be great

thanks, ronak

| set diff [search  index=mobile   Action_Name=Page_View  OS="*" (app_usage_location=*Stadium* OR app_usage_location=*Park* OR app_usage_location=*Unkno*) | fields user_id] [ search  index=mobile   Action_Name=Page_View  OS="*" NOT(app_usage_location=*Stadium* OR app_usage_location=*Park* OR app_usage_location=*Unkno*) |fields user_id] | stats dc(user_id)
Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

index=mobile Action_Name=Page_View OS="*" | eval temp=if(like(app_usage_location,"%Stadium%") OR like(app_usage_location,"%Park%" OR like(app_usage_location,"%Unkno%"),1,2) | stats values(temp) as temp by user_id | where mvcount(temp)=1 | fields user_id

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...