Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combined Search - Difference in two lists

splunk219783
Path Finder
‎11-11-2020 11:44 AM

This always feels exceptionally difficult to me, i'm not sure what i'm missing.

I have a list of machines, a simple CSV with a Name, Category, and Tag.  Kind of like this:

VMCategoryTag
VM1BackupFriday
VM1DatacenterAWS
VM2BackupMonday
VM2CriticalYes
VM2DatacenterAzure
VM3CriticalNo
VM3DatacenterAzure

 

I want to find machines that do not have a backup Category, so in this example it would be VM3.

I've written a search to give me all Machines, and another one to give me all machines with backups.  I've written this:

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT [search index=vcenter source=*tag* Category=Backup* | dedup VM | fields VM] | table VM

I get some results but not all.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 12:21 PM

You have the general idea.

Check the subsearch by running it by itself and adding "| format" on the end.  You'll see it returns a result that looks like "(VM="VM1" OR VM="VM2)"".  That string is added to the main search to complete the query so we end up with 

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT (VM="VM1" OR VM="VM2") | table VM

 There's an extra "VM" in the search command.  Removing it works in my sandbox.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 12:21 PM

You have the general idea.

Check the subsearch by running it by itself and adding "| format" on the end.  You'll see it returns a result that looks like "(VM="VM1" OR VM="VM2)"".  That string is added to the main search to complete the query so we end up with 

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT (VM="VM1" OR VM="VM2") | table VM

 There's an extra "VM" in the search command.  Removing it works in my sandbox.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎11-11-2020 12:30 PM

Thanks Rich.  When I run the subsearch by itself with | format i do get a whole list of:

(VM="VM1") OR (VM="VM2") OR (VM="VM3")

I'm not following on where I have the extra VM in my subsearch though?

0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎11-11-2020 03:14 PM

For anyone who stumbles in the future Rich was right, but I think his example was not.  I did not need VM between search and not in the second search.  The final search was:

 

 

index=vcenter source=*tag* | dedup VM | fields VM | search NOT [search index=vcenter source=*tag* Category=Backup* | fields VM]

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...