Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Newbie doubt

SoumyaSengupta9
Explorer
‎10-20-2020 01:58 PM

I have an array of pre-defined string values.

I want to check which of these values have not occured at search time for the last 60 mins.

 

I have my query in such a format

[ "", "", "", ............  ] NOT IN [ search query ]

 

This does not work as the hardcoded strings are not a search query. What do I do here?

Basically I need the list of strings which haven't appeared in the last 60 mins among the logs.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2020 02:53 PM

Recall that square brackets denote a subsearch.  Subsearches run before the main search and their results are added to the main search.  The combination must produce a valid SPL query.

The IN operator does not work the way it's being used here.  It expects a comma-separated list of values rather than the "(foo=1 OR foo=2)" type of result produced by a subsearch.

See if this query helps

search query NOT ("" OR "" OR "" OR ....)
---
If this reply helps you, Karma would be appreciated.
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 01:38 AM

@richgalloway so the search query should actually be part of the subsearch, i.e - [search query].
The results returned by theses subsearch are intended to be compared with the existing list of pre-defined strings i already have.

Basically an EXCEPT operator between pre-defined strings vs search results should give me the results which did not appear in serach.

How do i do that ?

The query you mentioned above has the search at the outside which in my case needs to be inside

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 06:41 AM

My example query compares search results to an existing list of pre-defined strings you already have.

The NOT operator is the EXCEPT operator you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 06:53 AM

@richgalloway i want the final values from the pre-defined list of values which don't appear on the search - not the other way round.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 07:32 AM

Are the pre-defined strings expect to be in a certain field in the search?  I ask because while it's not possible to use 

"foo" NOT [ search ..]

it is possible to do 

| inputlookup strings.csv | fields foo
| search foo NOT [ search ...]

but that means the pre-defined string would be expected to be in a field called 'foo'.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...