Splunk Search

Can I exclude results from a subsearch from my main search?

Explorer

Hi,
I have two Splunk searches:

search1
search2

search2 returns a list of values for field IP. I am trying to exclude these results from search1.
Can you please explain if this is possible

Thanks

SplunkTrust
SplunkTrust

Hi
Can you share your sample searches??

0 Karma

Explorer

Try this..

SEARCH1 NOT [SEARCH2]

I have done something similar where my second search does an | inputlookup and returns a table of values.

index=ciscoiosus oid=14179.2.1.4.1.1 NOT
[| inputlookup userlookup
| search user
name="blah"
| table user_id]

Hope this helps.

I didn't know that NOT is case-sensitive (must be all caps).

0 Karma

Explorer

To add to the question, I am trying to find the equivalent of this in Splunk

SELECT columnname(s)
FROM table
name
WHERE column_name NOT IN (SELECT STATEMENT);

0 Karma