Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combined Search - Difference in two lists

splunk219783
Path Finder
‎11-11-2020 11:44 AM

This always feels exceptionally difficult to me, i'm not sure what i'm missing.

I have a list of machines, a simple CSV with a Name, Category, and Tag.  Kind of like this:

VMCategoryTag
VM1BackupFriday
VM1DatacenterAWS
VM2BackupMonday
VM2CriticalYes
VM2DatacenterAzure
VM3CriticalNo
VM3DatacenterAzure

 

I want to find machines that do not have a backup Category, so in this example it would be VM3.

I've written a search to give me all Machines, and another one to give me all machines with backups.  I've written this:

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT [search index=vcenter source=*tag* Category=Backup* | dedup VM | fields VM] | table VM

I get some results but not all.

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 12:21 PM

You have the general idea.

Check the subsearch by running it by itself and adding "| format" on the end.  You'll see it returns a result that looks like "(VM="VM1" OR VM="VM2)"".  That string is added to the main search to complete the query so we end up with 

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT (VM="VM1" OR VM="VM2") | table VM

 There's an extra "VM" in the search command.  Removing it works in my sandbox.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-11-2020 12:21 PM

You have the general idea.

Check the subsearch by running it by itself and adding "| format" on the end.  You'll see it returns a result that looks like "(VM="VM1" OR VM="VM2)"".  That string is added to the main search to complete the query so we end up with 

index=vcenter source=*tag* | dedup VM | fields VM | search VM NOT (VM="VM1" OR VM="VM2") | table VM

 There's an extra "VM" in the search command.  Removing it works in my sandbox.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎11-11-2020 12:30 PM

Thanks Rich.  When I run the subsearch by itself with | format i do get a whole list of:

(VM="VM1") OR (VM="VM2") OR (VM="VM3")

I'm not following on where I have the extra VM in my subsearch though?

0 Karma
Reply
Solved! Jump to solution

splunk219783
Path Finder
‎11-11-2020 03:14 PM

For anyone who stumbles in the future Rich was right, but I think his example was not.  I did not need VM between search and not in the second search.  The final search was:

 

 

index=vcenter source=*tag* | dedup VM | fields VM | search NOT [search index=vcenter source=*tag* Category=Backup* | fields VM]

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top