Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Newbie doubt

SoumyaSengupta9
Explorer
‎10-20-2020 01:58 PM

I have an array of pre-defined string values.

I want to check which of these values have not occured at search time for the last 60 mins.

 

I have my query in such a format

[ "", "", "", ............  ] NOT IN [ search query ]

 

This does not work as the hardcoded strings are not a search query. What do I do here?

Basically I need the list of strings which haven't appeared in the last 60 mins among the logs.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-20-2020 02:53 PM

Recall that square brackets denote a subsearch.  Subsearches run before the main search and their results are added to the main search.  The combination must produce a valid SPL query.

The IN operator does not work the way it's being used here.  It expects a comma-separated list of values rather than the "(foo=1 OR foo=2)" type of result produced by a subsearch.

See if this query helps

search query NOT ("" OR "" OR "" OR ....)
---
If this reply helps you, Karma would be appreciated.
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 01:38 AM

@richgalloway so the search query should actually be part of the subsearch, i.e - [search query].
The results returned by theses subsearch are intended to be compared with the existing list of pre-defined strings i already have.

Basically an EXCEPT operator between pre-defined strings vs search results should give me the results which did not appear in serach.

How do i do that ?

The query you mentioned above has the search at the outside which in my case needs to be inside

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 06:41 AM

My example query compares search results to an existing list of pre-defined strings you already have.

The NOT operator is the EXCEPT operator you seek.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SoumyaSengupta9
Explorer
‎10-21-2020 06:53 AM

@richgalloway i want the final values from the pre-defined list of values which don't appear on the search - not the other way round.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 07:32 AM

Are the pre-defined strings expect to be in a certain field in the search?  I ask because while it's not possible to use 

"foo" NOT [ search ..]

it is possible to do 

| inputlookup strings.csv | fields foo
| search foo NOT [ search ...]

but that means the pre-defined string would be expected to be in a field called 'foo'.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...