Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Newbie doubt

SoumyaSengupta9
Explorer
‎10-20-2020 01:58 PM

I have an array of pre-defined string values.

I want to check which of these values have not occured at search time for the last 60 mins.

 

I have my query in such a format

[ "", "", "", ............  ] NOT IN [ search query ]

 

This does not work as the hardcoded strings are not a search query. What do I do here?

Basically I need the list of strings which haven't appeared in the last 60 mins among the logs.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2020 02:53 PM

Recall that square brackets denote a subsearch.  Subsearches run before the main search and their results are added to the main search.  The combination must produce a valid SPL query.

The IN operator does not work the way it's being used here.  It expects a comma-separated list of values rather than the "(foo=1 OR foo=2)" type of result produced by a subsearch.

See if this query helps

search query NOT ("" OR "" OR "" OR ....)
---
If this reply helps you, Karma would be appreciated.
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 01:38 AM

@richgalloway so the search query should actually be part of the subsearch, i.e - [search query].
The results returned by theses subsearch are intended to be compared with the existing list of pre-defined strings i already have.

Basically an EXCEPT operator between pre-defined strings vs search results should give me the results which did not appear in serach.

How do i do that ?

The query you mentioned above has the search at the outside which in my case needs to be inside

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 06:41 AM

My example query compares search results to an existing list of pre-defined strings you already have.

The NOT operator is the EXCEPT operator you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 06:53 AM

@richgalloway i want the final values from the pre-defined list of values which don't appear on the search - not the other way round.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 07:32 AM

Are the pre-defined strings expect to be in a certain field in the search?  I ask because while it's not possible to use 

"foo" NOT [ search ..]

it is possible to do 

| inputlookup strings.csv | fields foo
| search foo NOT [ search ...]

but that means the pre-defined string would be expected to be in a field called 'foo'.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...