Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Newbie doubt

SoumyaSengupta9
Explorer
‎10-20-2020 01:58 PM

I have an array of pre-defined string values.

I want to check which of these values have not occured at search time for the last 60 mins.

 

I have my query in such a format

[ "", "", "", ............  ] NOT IN [ search query ]

 

This does not work as the hardcoded strings are not a search query. What do I do here?

Basically I need the list of strings which haven't appeared in the last 60 mins among the logs.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2020 02:53 PM

Recall that square brackets denote a subsearch.  Subsearches run before the main search and their results are added to the main search.  The combination must produce a valid SPL query.

The IN operator does not work the way it's being used here.  It expects a comma-separated list of values rather than the "(foo=1 OR foo=2)" type of result produced by a subsearch.

See if this query helps

search query NOT ("" OR "" OR "" OR ....)
---
If this reply helps you, Karma would be appreciated.
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 01:38 AM

@richgalloway so the search query should actually be part of the subsearch, i.e - [search query].
The results returned by theses subsearch are intended to be compared with the existing list of pre-defined strings i already have.

Basically an EXCEPT operator between pre-defined strings vs search results should give me the results which did not appear in serach.

How do i do that ?

The query you mentioned above has the search at the outside which in my case needs to be inside

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 06:41 AM

My example query compares search results to an existing list of pre-defined strings you already have.

The NOT operator is the EXCEPT operator you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 06:53 AM

@richgalloway i want the final values from the pre-defined list of values which don't appear on the search - not the other way round.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 07:32 AM

Are the pre-defined strings expect to be in a certain field in the search?  I ask because while it's not possible to use 

"foo" NOT [ search ..]

it is possible to do 

| inputlookup strings.csv | fields foo
| search foo NOT [ search ...]

but that means the pre-defined string would be expected to be in a field called 'foo'.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...